- Overview
- Requirements
- Installation
- Post-installation
- Migration and upgrade
- Upgrading Automation Suite on EKS/AKS
- Step 1: Moving the Identity organization data from standalone to Automation Suite
- Step 2: Restoring the standalone product database
- Step 3: Backing up the platform database in Automation Suite
- Step 4: Merging organizations in Automation Suite
- Step 5: Updating the migrated product connection strings
- Step 6: Migrating standalone Orchestrator
- Step 7: Migrating standalone Insights
- Step 8: Deleting the default tenant
- Performing a single tenant migration
- Migrating from Automation Suite on Linux to Automation Suite on EKS/AKS
- Monitoring and alerting
- Cluster administration
- Product-specific configuration
- Troubleshooting
- How to forward application logs to Splunk
- How to work with certificates
- The backup setup does not work due to a failure to connect to Azure Government
- Pods in the uipath namespace stuck when enabling custom node taints
- Unable to launch Automation Hub and Apps with proxy setup
- Pods cannot communicate with FQDN in a proxy environment
- Test Automation SQL connection string is ignored
- EKS backup failure due to Velero version
Automation Suite on EKS/AKS installation guide
How to work with certificates
openssl commands to validate a chain of certificates (CA, intermediate, and server), and separate or combine certificates.
You can bring certificates as follows:
-
Scenario 1: Three crt/pem files including CA, intermediate, and server certs and a private key.
-
Scenario 2: Two crt/pem files including CA and server certs and a private key.
-
Scenario 3: One pfx file containing all CA/intermediate and server certs and a private key.
The following table describes the used file names:
|
File name |
Description |
|---|---|
|
|
A CA certificate. |
|
|
An intermediate certificate. |
|
|
A certificate containing CA and intermediate certificates. |
|
|
A server certificate. |
|
|
A private key used to generate the
server.crt.
|
|
|
A pfx certificate file containing CA, intermediate, server certificates, and the server private key. |
When you bring three different cert files (CA, intermediate, and server), take the following steps for validation:
-
Combine the CA with the intermediate certs (applicable only for Scenario 1).
cp ca.crt ca-bundle.crt cat intermediate.crt >> ca-bundle.crtcp ca.crt ca-bundle.crt cat intermediate.crt >> ca-bundle.crt -
Check the server cert contains (specifically the
subject alternative namesandvalidityfields.openssl x509 -in server.crt -text -nooutopenssl x509 -in server.crt -text -noout -
Check if the server cert was signed by the CA server.
openssl verify -CAfile ca-bundle.crt server.crtopenssl verify -CAfile ca-bundle.crt server.crtOutput:
server.crt: OKserver.crt: OK -
Check if the server cert was generated by the server private key by comparing the md5 hashes. If the following commands' outputs match, then it validates that the server cert was generated using the private key.
openssl x509 -noout -modulus -in server.crt | openssl md5openssl x509 -noout -modulus -in server.crt | openssl md5Server cert output:
(stdin)= c9b0c5c3fe11b0b09947415236c4a441(stdin)= c9b0c5c3fe11b0b09947415236c4a441openssl rsa -noout -modulus -in server.key | openssl md5openssl rsa -noout -modulus -in server.key | openssl md5Server private key output:
(stdin)= c9b0c5c3fe11b0b09947415236c4a441(stdin)= c9b0c5c3fe11b0b09947415236c4a441
-
Generate the pfx file from the server cert and the private key. Once the following command is run, you are prompted to type a passcode twice. Thepasscode is always required to decrypt the pfx file.
openssl pkcs12 -inkey server.key -in server.crt -export -out server.pfxopenssl pkcs12 -inkey server.key -in server.crt -export -out server.pfxOutput:
Enter Export Password: Verifying - Enter Export Password:Enter Export Password: Verifying - Enter Export Password:
When you bring one certificate in pfx format containing CA, intermediate, server, and private key, you can use the pfx file as an identity token signing certificate, but you must break the pfx file into multiple cert files. The following steps describe how to break the pfx file accordingly.
-
Export the CA certificate (including intermediate if provided in the pfx file):
openssl pkcs12 -in server.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crtopenssl pkcs12 -in server.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt -
Export the server certificate:
openssl pkcs12 -in server.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crtopenssl pkcs12 -in server.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crt -
Export the private key:
openssl pkcs12 -in server.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.keyopenssl pkcs12 -in server.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.key
