SSL/TLS Certificates - Additional Procedures

For reference, see SSL/SSL/TLS Requirements.

If required, this procedure must be completed prior to Nintex RPA server installation. Therefore, you should begin by downloading and installing OpenSSL (if not previously installed).

If you need to change an SSL certificate after installation, contact the support team.

TLS v1.3 is supported.

Install OpenSSL

  1. Download the OpenSSL utility from this location:

    https://slproweb.com/products/Win32OpenSSL.html

    • Version to download: Win64 OpenSSL v1.1.1c Light (select the EXE file option)

  2. Install using the default options provided by the installation package

Manually creating individual certificate files

You can elect to manually prepare the additional certificate files required for Nintex RPA server installation (as opposed to letting the Nintex RPA server installation package do so). To manually prepare the certificate files, follow these steps:

Step 1: Install the *.pfx certificate to the Windows certificate store
  1. Copy the certificate (in *.pfx format) to an easy-to-access location (e.g., Desktop) on the machine on which you will install the Nintex RPA server

  2. Double-click the *.pfx certificate

    The Windows Certificate Import Wizard will open

  3. Select the Local Machine option

  4. Confirm the file to import (the file you clicked on to open the wizard)

  5. Enter the certificate password

  6. Maintain the default Import options settings

  7. Select the Automatically select the certificate store option

  8. Review your settings and click the Finish button

    You will receive a confirmation that the certificate was imported successfully

Step 2: Export the certificate in *.p7b format
  1. From the lower left corner Windows icon, run MMC (Microsoft Management Console) as administrator

    If MMC does not pop up as an option when typing it from the Windows icon, open it instead by typing Run, then entering MMC in the Run dialog.

  2. From the File menu, select Add/Remove Snap-in...

  3. From the Available snap-ins list, select Certificates, and click the Add > button

  4. Select the Computer account option

  5. Select the Local computer option, then click the Finish button

  6. The Certificates snap-in will now appear in the left-hand column of the Add or Remove Snap-ins window under Console Root

  7. Click the OK button to return to the main MMC screen

  8. From the left pane (the folder tree), navigate to Console Root > Certificates (Local Computer) > Personal > Certificates

    A list of certificates will appear in the middle pane.

  9. Right-click on the relevant certificate, select All Tasks > Export...

  10. The Windows Certificate Export Wizard will open

  11. Select the Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B) file format

  12. Save the file to an easily-accessible location on the server with the nameca-bundle.p7b

  13. Review your settings and click the Finish button

    The file will be exported to the selected location, and you will receive a confirmation that the certificate was exported successfully

Step 3: Create the file: ca-bundle.pem
  1. From Windows File Explorer, navigate to the folder: C:\Program Files\OpenSSL-Win64\bin\

  2. Run the file openssl.exe as administrator

  3. From the OpenSSL> command prompt, run the following command:

    pkcs7 -in {p7b file location}\ca-bundle.p7b -inform DER -print_certs -out {desired file location}\ca-bundle.pem

    • Example: pkcs7 -in C:\Users\localadmin\Desktop\ca-bundle.p7b -inform DER -print_certs -out C:\Users\localadmin\Desktop\ca-bundle.pem

    You will be returned to the OpenSSL> command prompt, and a file called ca-bundle.pem will be created in the specified location

Step 4: Create a CRT file
  1. From the OpenSSL> command prompt, run the following command:

    pkcs12 -in {pfx file location}\{pfx filename}.pfx -clcerts -nokeys -out {desired file location}\{FQDN_of_RPA_Server}.crt

    • Example: pkcs12 -in C:\Users\localadmin\Desktop\companydomaincom.pfx -clcerts -nokeys -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.crt

  2. Enter the certificate password when prompted

    You will be returned to the OpenSSL> command prompt, and a file called {FQDN_of_RPA_Server}.crt will be created in the specified location

Step 5: Create a PEM file
  1. From the OpenSSL> command prompt, run the following command:

    pkcs12 -in {pfx file location}\{pfx filename}.pfx -nocerts -out {desired file location}\{FQDN_of_RPA_Server}.pem -nodes

    • Example: pkcs12 -in C:\Users\localadmin\Desktop\companydomaincom.pfx -nocerts -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.pem -nodes

  2. Enter the certificate password when prompted

    You will be returned to the OpenSSL> command prompt, and a file called {FQDN_of_RPA_Server}.pem will be created in the specified location

Step 6: Create a KEY file
  1. From the OpenSSL> command prompt, run the following command:

    rsa -in {pem file location}\{pem filename}.pem -out {desired file location}\{FQDN_of_RPA_Server}.key

    NOTE: The PEM file referred to in this step is the file created in step #4 above (NOT ca-bundle.pem created in step #2)

    • Example: rsa -in C:\Users\localadmin\Desktop\RPAServer.companydomain.com.pem -out C:\Users\localadmin\Desktop\RPAServer.companydomain.com.key

    You will be returned to the OpenSSL> command prompt, and a file called {FQDN_of_RPA_Server}.key will be created in the specified location

Be sure to keep all the files utilized/created in this section in an easily accessible location until after Nintex RPA server installation. You should also save them to a safe location for backup purposes.

-Take me back to the relevant step in the Nintex RPA Installation Guide-