- Orchestrator Mobile App
IOS - Root Certificate Authority
While connecting to your Orchestrator instance using the Orchestrator app on a iOS mobile device, you may run into an SSL or ATS certification issue.
The procedure below helps you to resolve this issue by installing and trusting the root SSL certificate directly to your iOS mobile device.
The first step in fixing the certificate issue is to ensure your iOS mobile device sees the Root Certificate Authority of your Orchestrator instance. This helps your iOS mobile device to correctly identify and import the certificate.
On the machine that hosts your Orchestrator installation:
- Open Internet Information Services (IIS) Manager.
- Navigate to Sites > UiPath Orchestrator.
- On the right side, in the Actions panel, click Bindings.... The Site Bindings window opens.
- Select your Orchestrator instance binding URL and click Edit... . The Edit Site Binding window opens.
- The SSL certificate field displays the name of your Orchestrator certificate. For more details about it, click View... .
-
Switch to the Details tab. Search for Issuer and Subject fields. There are two cases:
- The Issuer and Subject values are the same: The SSL certificate selected at step 5 is your Root Certificate. Continue with Exporting the Root Certificate Authority, as described below.
-
The Issuer and Subject values are different: The SSL certificate selected at step 5 is not your Root Certificate. In this case, continue with the procedure below.
- Open the Run command
window, type
certmgr.msc
, and press OK. - Navigate to Trusted Root Certification Authorities > Certificates. Search for the certificate that matches the Issuer from the previous procedure (step 6).
- Double click to open the Certificate window.
-
Switch to the Details tab. In the properties list, select Basic Constraints. There are two cases:
- The bottom panel displays
Subject Type=CA
: Your Root Certificate Authority is configured correctly. Jump to the section Exporting the Root Certificate Authority. - The bottom panel does not
display
Subject Type=CA
: You need to create a new certificate (see below) that includes the Root Certificate Authority, import it to the certificate stores (see below), and set it to your Orchestrator instance (see below).
- The bottom panel displays
-TextExtension @("2.5.29.19={text}cA=true)
in the
script.
Sample script
$rootcert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ROOT-CA-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -KeyUsage CertSign, CRLSign, DigitalSignature -KeyExportPolicy Exportable -TextExtension @("2.5.29.19={text}cA=true")
$rootpwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText
$rootpath = ‘cert:\localMachine\my\’ + $rootcert.thumbprint
$rootCA = Export-PfxCertificate -cert $rootpath -FilePath c:\Users\uipath\Desktop\root-cert.pfx -Password $rootpwd
$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -Signer $rootcert
$pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText
$path = ‘cert:\localMachine\my\’ + $cert.thumbprint
Export-PfxCertificate -cert $path -FilePath c:\Users\uipath\Desktop\signed-cert.pfx -Password $pwd
$rootcert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ROOT-CA-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -KeyUsage CertSign, CRLSign, DigitalSignature -KeyExportPolicy Exportable -TextExtension @("2.5.29.19={text}cA=true")
$rootpwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText
$rootpath = ‘cert:\localMachine\my\’ + $rootcert.thumbprint
$rootCA = Export-PfxCertificate -cert $rootpath -FilePath c:\Users\uipath\Desktop\root-cert.pfx -Password $rootpwd
$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -Signer $rootcert
$pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText
$path = ‘cert:\localMachine\my\’ + $cert.thumbprint
Export-PfxCertificate -cert $path -FilePath c:\Users\uipath\Desktop\signed-cert.pfx -Password $pwd
If you want to create a Root Certificate Authority that signs a separate certificate, use the script template below:
$rootcert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ROOT-CA-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -KeyUsage CertSign, CRLSign, DigitalSignature -KeyExportPolicy Exportable -TextExtension @("2.5.29.19={text}cA=true") $rootpwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText $rootpath = ‘cert:\localMachine\my\’ + $rootcert.thumbprint $rootCA = Export-PfxCertificate -cert $rootpath -FilePath c:\Users\uipath\Desktop\root-cert.pfx -Password $rootpwd $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -Signer $rootcert $pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText $path = ‘cert:\localMachine\my\’ + $cert.thumbprint Export-PfxCertificate -cert $path -FilePath c:\Users\uipath\Desktop\signed-cert.pfx -Password $pwd
$rootcert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname ROOT-CA-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -KeyUsage CertSign, CRLSign, DigitalSignature -KeyExportPolicy Exportable -TextExtension @("2.5.29.19={text}cA=true") $rootpwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText $rootpath = ‘cert:\localMachine\my\’ + $rootcert.thumbprint $rootCA = Export-PfxCertificate -cert $rootpath -FilePath c:\Users\uipath\Desktop\root-cert.pfx -Password $rootpwd $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname DNS-NAME-HERE -KeySpec KeyExchange -HashAlgorithm "SHA256" -Signer $rootcert $pwd = ConvertTo-SecureString -String ‘PUT-PASSWORD-HERE’ -Force -AsPlainText $path = ‘cert:\localMachine\my\’ + $cert.thumbprint Export-PfxCertificate -cert $path -FilePath c:\Users\uipath\Desktop\signed-cert.pfx -Password $pwd
- Double-click on the
.PFX
file created by the PowerShell script. The Certificate Import Wizard opens. - Select Local Machine and click Next.
- On the Certificate Store page of the wizard, select Place all certificates in the following store, set the Certificate store to Personal, and click Next .
- Finish the importing.
- Repeat the steps above, but this time set the Certificate store from step 3 to Trusted Root Certificate Authorities.
After you import the new certificate into both certificate stores, set it to your Orchestrator instance.
- Open Internet Information Services (IIS) Manager.
- Navigate to Sites > UiPath Orchestrator.
- On the right side, in the Actions panel, click Bindings.... The Site Bindings window opens.
- For each site binding, click Edit... . The Edit Site Binding window opens.
-
From the SSL certificate field, select the new certificate and click OK.
Important: Make sure to update the certificate for every site binding. - After you update all bindings, click Restart from the Actions panel.
With the certificate properly configured, you need to export it to a format that your iOS mobile device recognizes.
- Open the Run command window,
type
certmgr.msc
, and press OK. - Navigate to Trusted Root Certification Authorities > Certificates and search for your Orchestrator certificate.
- Right-click on it and select All Tasks > Export... . The Certificate Export Wizard opens.
- Opt for the DER encoded binary X.509 (.CER) export format.
- Finish the exporting.
.CER
file to your iOS mobile device. Tapping on the
received file starts the certificate download. You are prompted by the following
message:
- Go to Settings > General > Profile . The certificate is displayed under DOWNLOADED PROFILE.
- Click on the certificate and Install it. This verifies the certificate.
- Click Done and go back to the General page.
- Go to About >
Certificate Trust Settings. The newly installed certificate is
displayed under ENABLE FULL TRUST FOR ROOT CERTIFICATES. If you don't see
the certificate, make sure the Basic Constraint certificate property has
Subject Type=CA
. - If the certificate toggle is OFF, set it to ON.
- Overview
- Finding the Root Certificate Authority
- To find the Root Certificate using the Certificate Manager:
- To create a Root Certificate Authority:
- To import the certificate:
- To set the new certificate to Orchestrator:
- Exporting the Root Certificate Authority
- Trusting the Certificate
- To trust the certificate on your iOS mobile device: