Generate an SSL Certificate

You need an SSL certificate for the Blue Prism Decision container. Depending on your infrastructure and IT organization security requirements, this could be an internally created SSL certificate or a purchased certificate.

The Blue Prism Decision container requires a client key and a server key to ensure the communication between the Decision plugin in Hub and the Decision container is secure.

Self-signed certificates can be used but are only recommended for POC \ POV \ Dev environments. For production environments, use certificates from your organization's approved certificate authority. It is recommended that you contact your IT Security team to check their requirements. You will need to ensure that your certificate authority provides you with the following files:

  • server.crt
  • server.key
  • ca.crt
  • client.crt

Self-signed certificate

For POC \ POV \ Dev environments, you can create a certificate using the following process. This process requires OpenSSL to be installed. These instructions are for a Windows Server. If you are using Linux, please make the necessary adjustments.

  1. If you do not already have it, install OpenSSL.

  2. Create a folder where you will run the script (in the next step) so that the output is generated in a single place.

  3. In the folder you created, use one of the following scripts depending on the host operating system, entering the indicated appropriate values in the variables at the top of the script:

    Enter certificate password – Replace with a password that will be used to create the certificate.

    Enter CN for client certificate – Replace with a common name for the client certificate, for example, client.decision.blueprism.com.

    Enter CA – Replace with the Certificate Authority common name, for example, decisionCA.

    Enter CN for server certificate – Replace with a common name for the server certificate. This must match with the Decision container fully-qualified domain name (FQDN), for example, decision.blueprism.com. Or, if the container is on the same server as Hub, use, for example, decision.local.

    • PowerShell script (Windows)
    • Bash script (Linux)

    Script for creating certificates in Windows

    Run PowerShell as an administrator and use the following script:

    Copy 
    $cred = Get-Credential -UserName 'Enter certificate password' -Message 'Enter certificate password'
    $mypwd = $cred.GetNetworkCredential().password
    $clientCN = Read-Host "Enter CN for client certificate"
    $CA = Read-Host "Enter CA"
    $serverCN = Read-Host "Enter CN for server certificate"

    echo Generate CA key:
    openssl genrsa -passout pass:$mypwd -des3 -out ca.key 4096

    echo Generate CA certificate:
    $CASubject = "/CN=" + $CA
    openssl req -passin pass:$mypwd -new -x509 -days 365 -key ca.key -out ca.crt -subj $CASubject

    echo Generate server key:
    openssl genrsa -passout pass:$mypwd -des3 -out server.key 4096

    echo Generate server signing request:
    $serverSubject = "/CN=" + $serverCN
    openssl req -passin pass:$mypwd -new -key server.key -out server.csr -subj $serverSubject

    echo Self-sign server certificate:
    openssl x509 -req -passin pass:$mypwd -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

    echo Remove passphrase from server key:
    openssl rsa -passin pass:$mypwd -in server.key -out server.key

    echo Generate client key
    openssl genrsa -passout pass:$mypwd -des3 -out client.key 4096

    echo Generate client signing request:
    $clientSubject = "/CN=" + $clientCN
    openssl req -passin pass:$mypwd -new -key client.key -out client.csr -subj $clientSubject

    echo Self-sign client certificate:
    openssl x509 -passin pass:$mypwd -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

    echo Remove passphrase from client key:
    openssl rsa -passin pass:$mypwd -in client.key -out client.key

    echo Generate pfx from client key:
    openssl pkcs12 -export -password pass:$mypwd -out client.pfx -inkey client.key -in client.crt

    The certificates are generated in the folder you created.

    Script for creating certificates in Linux

    Run the following Bash script:

    Copy 
    #!/bin/sh

    read -s -p 'Enter certificate password: ';
    CER_PWD=${REPLY};
    echo "";

    read -p 'Enter CN for client certificate: ';
    CLIENT_CN=${REPLY};
    #echo "";

    read -p 'Enter CA: ';
    CA=${REPLY};
    #echo "";

    read -p 'Enter CN for server certificate: ';
    SERVER_CN=${REPLY};
    #echo "";

    unset REPLY;

    echo Generate CA key:
    openssl genrsa -passout pass:$CER_PWD -des3 -out ca.key 4096

    echo Generate CA certificate:
    CA_SUBJECT="/CN=${CA}"
    openssl req -passin pass:$CER_PWD -new -x509 -days 365 -key ca.key -out ca.crt -subj $CA_SUBJECT

    echo Generate server key:
    openssl genrsa -passout pass:$CER_PWD -des3 -out server.key 4096

    echo Generate server signing request:
    SERVER_SUBJECT="/CN=${SERVER_CN}"
    openssl req -passin pass:$CER_PWD -new -key server.key -out server.csr -subj $SERVER_SUBJECT

    echo Self-sign server certificate:
    openssl x509 -req -passin pass:$CER_PWD -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

    echo Remove passphrase from server key:
    openssl rsa -passin pass:$CER_PWD -in server.key -out server.key

    echo Generate client key
    openssl genrsa -passout pass:$CER_PWD -des3 -out client.key 4096

    echo Generate client signing request:
    CLIENT_SUBJECT="/CN=${CLIENT_CN}"
    openssl req -passin pass:$CER_PWD -new -key client.key -out client.csr -subj $CLIENT_SUBJECT

    echo Self-sign client certificate:
    openssl x509 -passin pass:$CER_PWD -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

    echo Remove passphrase from client key:
    openssl rsa -passin pass:$CER_PWD -in client.key -out client.key

    echo Generate pfx from client key:
    openssl pkcs12 -export -password pass:$CER_PWD -out client.pfx -inkey client.key -in client.crt

    The certificates are generated in the folder you created.

  4. Add the certificate as a trusted certificate on the local machine by running the following scripts:

    Copy 
    $scriptPath = (Get-Item .).FullName
    $crt = "$($scriptPath)\client.pfx"
    $mypwd = Get-Credential -UserName 'Enter password' -Message 'Enter password'
    Import-PfxCertificate -FilePath $crt -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.Password

    Copy 
    $scriptPath = (Get-Item .).FullName
    $crt = "$($scriptPath)\ca.crt"
    Import-Certificate -FilePath $crt -CertStoreLocation Cert:\LocalMachine\Root

  5. Give access to the client certificate for IIS users:

    1. Open Manage Computer Certificates, and locate the client certificate.
    2. Right-click the certificate, select All Tasks, and then Manage Private Keys....
    3. Add IIS_IUSRS with the Read permission.
    4. Click Apply.

If you are using different machines to host the Blue Prism Decision Model Service container and Blue Prism Hub, you will need to ensure that:

  • The Decision Model Service container host has the following files:
    • server.crt
    • server.key
    • ca.crt
  • The server running Blue Prism Hub has the following files:
    • client.crt
    • ca.crt