automation-suite
2023.10
false
UiPath logo, featuring letters U and I in white

Automation Suite on Linux installation guide

Last updated Apr 29, 2025

How to work with certificates

Description

This section explains how to use openssl commands to validate a chain of certificates (CA, intermediate, and server), and separate or combine certificates.

You can bring certificates as follows:

  • Scenario 1: Three crt/pem files including CA, intermediate, and server certs and a private key.

  • Scenario 2: Two crt/pem files including CA and server certs and a private key.

  • Scenario 3: One pfx file containing all CA/intermediate and server certs and a private key.

The following table describes the used file names:

File name

Description

ca.crt

A CA certificate.

intermediate.crt

An intermediate certificate.

ca-bundle.crt

A certificate containing CA and intermediate certificates.

server.crt

A server certificate.

server.key

A private key used to generate the server.crt.

server.pfx

A pfx certificate file containing CA, intermediate, server certificates, and the server private key.

Scenario 1 and Scenario 2

When you bring three different cert files (CA, intermediate, and server), take the following steps for validation:

  1. Combine the CA with the intermediate certs (applicable only for Scenario 1).

    cp ca.crt ca-bundle.crt
    cat intermediate.crt >> ca-bundle.crtcp ca.crt ca-bundle.crt
    cat intermediate.crt >> ca-bundle.crt
  2. Check the server cert contains (specifically the subject alternative names and validity fields.
    openssl x509 -in server.crt -text -nooutopenssl x509 -in server.crt -text -noout
  3. Check if the server cert was signed by the CA server.

    openssl verify -CAfile ca-bundle.crt server.crtopenssl verify -CAfile ca-bundle.crt server.crt

    Output:

    server.crt: OKserver.crt: OK
  4. Check if the server cert was generated by the server private key by comparing the md5 hashes. If the following commands' outputs match, then it validates that the server cert was generated using the private key.

    • openssl x509 -noout -modulus -in server.crt | openssl md5openssl x509 -noout -modulus -in server.crt | openssl md5

      Server cert output:

      (stdin)= c9b0c5c3fe11b0b09947415236c4a441(stdin)= c9b0c5c3fe11b0b09947415236c4a441
    • openssl rsa -noout -modulus -in server.key | openssl md5openssl rsa -noout -modulus -in server.key | openssl md5

      Server private key output:

      (stdin)= c9b0c5c3fe11b0b09947415236c4a441(stdin)= c9b0c5c3fe11b0b09947415236c4a441
  5. Generate the pfx file from the server cert and the private key. Once the following command is run, you are prompted to type a passcode twice. Thepasscode is always required to decrypt the pfx file.

    openssl pkcs12 -inkey server.key -in server.crt -export -out server.pfxopenssl pkcs12 -inkey server.key -in server.crt -export -out server.pfx

    Output:

    Enter Export Password:
    Verifying - Enter Export Password:Enter Export Password:
    Verifying - Enter Export Password:

Scenario 3

When you bring one certificate in pfx format containing CA, intermediate, server, and private key, you can use the pfx file as an identity token signing certificate, but you must break the pfx file into multiple cert files. The following steps describe how to break the pfx file accordingly.

  1. Export the CA certificate (including intermediate if provided in the pfx file):

    openssl pkcs12 -in server.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crtopenssl pkcs12 -in server.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt
  2. Export the server certificate:

    openssl pkcs12 -in server.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crtopenssl pkcs12 -in server.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > server.crt
  3. Export the private key:

    openssl pkcs12 -in server.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.keyopenssl pkcs12 -in server.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > server.key
  • Description
  • Scenario 1 and Scenario 2
  • Scenario 3

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2025 UiPath. All rights reserved.