Product: Kryon RPA
Product Version: All
Components: Kryon Application Server
Article Contributors: Darren Cheng
This article will outline the procedure to replace the installed SSL certificate for Kryon RPA. This will be required if your SSL certificate is about to expire, or has been revoked.
Prerequisites:
1. An installation of Kryon RPA that has been installed with SSL enabled
2. Administrator access to the Kryon Application Server
3. A new SSL certificate in the form of a PFX file that meets the requirements set out in the System Architecture and Requirements guide
4. The password for the PFX file.
Steps:
Warning: This guide outlines a complex procedure and should only be carried out under the guidance of a Kryon support agent. Take a full backup of your system before proceeding.
Info: Instructions are the same for both fixed host and wildcard certificates.
Preparation
Install Your New Certificate
Replace Keycloak Certificates (19.4+ Only)
Replace Thumbprints
Update SSL Certificate Bindings
Clear Cache and Restart Services
Update Console Certificate in IIS (19.1.3 only)
Test Installation
Preparation
- Ensure you have access to the password for the PFX file.
- Close all running instances of Kryon Studio and Kryon Robot.
- Stop all Kryon application server services via the StopAll.bat script located in your Kryon installation directory.
Install Your New Certificate
Remove existing certificate
Open Microsoft Management Console (MMC):
- Open MMC by pressing Win+R, typing in mmc and pressing enter.
- Press CTRL+M to open the Add/Remove Snap-in window.
- Select Certificates in the Available Snap-ins pane.
- Click Add.
- Select Computer Account.
- Click Next.
- Ensure Local Computer is selected.
- Click Finish to return to the Add/Remove Snap-in window.
- Click OK.
- Expand Certificates > Personal > Certificates.
- Locate and right-click your existing certificate.
- Click Delete and confirm all warnings.
Install new certificate
- Ensure your PFX file is located on the application server.
- Double-click the file to begin the Certificate Import Wizard.
- Select Local Machine.
- Click Next.
- Observe that the filepath of your PFX file is already populated in the Filename field.
- Click Next.
- Type in the password for the PFX file.
- Click Next.
- Accept the default setting and click Next.
- Click Finish.
- You should see a message "The import was successful".
- Click OK to close.
- Return to MMC, refresh the page and check your new certificate is present under Certificates > Personal > Certificates.
- Do not close MMC as it will be needed later in the guide.
Replace Keycloak Certificates (19.4+ Only)
Note: If you are applying this guide to 19.1.3 or lower you may skip this section on Keycloak.
Export P7B file
- With the MMC window still open, right-click the newly-installed certificate and click All Tasks > Export.
- Click Next.
- Observe that No, do not export private key is selected, click Next.
- Select Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B).
- Check Include all certificates in the certification path if possible.
- Click Next.
- Click Finish.
- Specify a filepath to save your .P7B file to.
- You should see a message "The export was successful".
- Close the dialog.
Generate ca-bundle.pem
- Open a command prompt and navigate to the bin directory of the OpenSSL installation. This can be found at <InstallationPath>Support ToolsOpenSSLin (e.g. C:KryonSupport ToolsOpenSSLin).
- Run the following command, inserting the path of the P7B file where indicated.
openssl.exe pkcs7 -in <path to the P7B file> -inform DER -print_certs -out ca-bundle.pemExample:
openssl.exe pkcs7 -in "C:Usersadministrator.TOMODownloadspkcs7.p7b" -inform DER -print_certs -out ca-bundle.pemNote: If the filepath of your P7B file contains spaces, enclose the path in quotes as shown above.- Note that there is now a new ca-bundle.pem file in the bin directory of OpenSSL.
Replace ca-bundle.pem in Keycloak
- Overwrite the old ca-bundle.pem file located in <InstallationPath>IdentityProvidermodulesAeroBaseidp-apica-bundle.pem (e.g. C:KryonIdentityProvidermodulesAeroBaseidp-apica-bundle.pem) with the new ca-bundle.pem file we generated in the last step.
Generate KEY file
- Run the following OpenSSL command to extract an encrypted KEY file from your PFX file. The first password requested is the password to access the PFX. The 2nd password is the new password you will set to protect the extracted KEY file.
Note: If the filepath of your P7B file contains spaces, enclose the path in quotes as shown above.
openssl pkcs12 -in <path to PFX file> -nocerts -out key-encrypted.key
- Once the key-encrypted.key file is generated it will be placed in the OpenSSL folder. Decrypt it using the following command:
openssl rsa -in <path to key-encrypted.key> -out key-decrypted.key
- The key-decrypted.key file will be located in the OpenSSL folder.
- Delete the encrypted KEY file as it is no longer needed.
Generate CRT file
- Run the following OpenSSL command to extract the CRT file from your PFX file. Enter the PFX password when prompted.
openssl pkcs12 -in <path to pfx file> -clcerts -nokeys -out certificate.crt
- The certificate.crt file will be placed in the OpenSSL folder.
Replace CRT and KEY files in Keycloak
From the previous steps you should have new decrypted KEY (key-decrypted.key) and CRT (certificate.crt) files extracted from your PFX file.- In Windows Explorer, navigate to <InstallationPath>IdentityProviderAerobaseConfigurationssl (e.g. C:KryonIdentityProviderAerobaseConfigurationssl).
- Note the filenames of the existing CRT and KEY files in the folder.
- Rename your new CRT and KEY files with the same name.
- Copy and overwrite the existing CRT and KEY files with the new files.
Warning: Do not leave your CRT or decrypted KEY file on the desktop or any other insecure place where others can obtain it.
Replace Thumbprints
Extract the thumbprint of the new certificate
- Return to MMC where the Certificates snap-in should still be loaded and opened at Certificates > Personal > Certificates.
- Double-click on the new SSL certificate that was installed earlier.
- Open the Details tab.
- Scroll to the bottom and click on the field called Thumbprint.
- A long hexadecimal string will be shown in the bottom pane, which may or may not be separated by spaces (e.g. e71c96c8b96d307e233fe931acfe61e868d24ce6). Copy this string into Notepad++.
- If there are any spaces in the string, remove them.
- In Notepad++, in the menu bar click Encoding > ANSI.
- If you see any non-alphanumerical characters appear, delete them and leave only the Thumbprint characters.
Find the thumbprint of the old certificate
- Open in Notepad++ the file <InstallationPath>RPAKryon Studio Server 64bitStreamingServiceConfigsystem.servicemodel.behaviors.config (e.g. C:KryonRPAKryon Studio Server 64bitStreamingServiceConfigsystem.servicemodel.behaviors.config).
- Take a note of the existing thumbprint string next to findvalue=. In the example below this would be "137a15806c45869c79857df53864ba5fe99630fe" (without quotes)
Example:
findValue="137a15806c45869c79857df53864ba5fe99630fe"
Replace all instances of the old thumbprint with the new thumbprint
- In Notepad++ perform a Find in Files operation, replacing all instances of the old thumbprint with the new one, searching only within the Kryon installation directory and filtering only *.config files.
Example:
Note: If you are applying this guide to 19.1.3 or lower the above replacement procedure is slightly different. You'll need to replace the x509FindType as well as the findValue. The current findValue will be the FQDN (or CN) matching the old certificate (e.g. "prod.customer.com") and the current x509FindType will be "FindBySubjectName". Replace findValue with the thumbprint of the new certificate as above. Replace x509FindType="FindBySubjectName" with x509FindType="FindByThumbprint"Update SSL Certificate Bindings
- In a command prompt with administrator rights, run the following command, replacing 8083 with the HTTPS port of your installation. This will unbind your old certificate from the port. (For 19.1.3 the default port is 8080 and you can find your specific port in the appSettings.config file of either Studio or Robot.)
netsh http delete sslcert ipport=0.0.0.0:8083
- Once complete, run this command, replacing <thumbprint> with the thumbprint of the new certificate, and the HTTPS port 8083 with that of your installation. Leave the appid as shown in the command. This will bind your new certificate to the port.
netsh http add sslcert ipport=0.0.0.0:8083 certhash=<thumbprint> appid={00000000-0000-0000-0000-000000000000}
Example:
netsh http add sslcert ipport=0.0.0.0:8083 certhash=e71c96c8b96d307e233fe931acfe61e868d24ce6 appid={00000000-0000-0000-0000-000000000000}
Clear Cache and Restart Services
- Clear the Google Chrome cache via the Clear Browsing Data option under (three dots on top right) > History > History > Clear Browsing Data
- Clear the NGINX cache by deleting all folders contained in <InstallationPath>IdentityProviderAerobaseData ginxcache (e.g. C:KryonIdentityProviderAerobaseData ginxcache)
- Restart all Kryon services via the StartAll.bat script located in <InstallationPath>RPAStartAll.bat (e.g. C:KryonRPAStartAll.bat)
Update Console Certificate in IIS (19.1.3 only)
If you are on 19.1.3 or lower you also need to update the SSL certificate used for the Console website. Go into the Bindings section, select the HTTPS binding and choose the correct SSL certificate from the dropdown.
Test Installation
- Verify that the SSL replacement procedure was successful by opening Kryon Console, Seq and Keycloak and observing that the lock con in the address bar indicates a valid certificate.
- Confirm that Kryon Studio and Robot can log in successfully.
More Information: Link to System Architecture and Requirements Guide.