Generate an SSL Certificate

You need an SSL certificate for the Blue Prism Decision Model Service. Depending on your infrastructure and IT organization security requirements, this could be an internally created SSL certificate or a purchased certificate.

The Blue Prism Decision Model Service requires a client key and a server key to ensure the communication between the Decision plugin in Hub and the Decision Model Service is secure.

Self-signed certificates can be used but are only recommended for POC \ POV \ Dev environments. For production environments, use certificates from your organization's approved certificate authority. It is recommended that you contact your IT Security team to check their requirements. You will need to ensure that your certificate authority provides you with the following files:

  • server.crt
  • server.key
  • ca.crt
  • client.crt

Self-signed certificate

For POC \ POV \ Dev environments, you can create a certificate using the following process. This process requires OpenSSL to be installed. These instructions are for a Windows Server. If you are using Linux, please make the necessary adjustments.

  1. If you do not already have it, install OpenSSL.

    If you are running OpenSSL on Windows, you need to add the location where OpenSSL is installed to the Path environment variable. For more information, see Troubleshooting the installation.

  2. Create a folder where you will run the script (in the next step) so that the output is generated in a single place.

  3. In the folder you created, use one of the following scripts depending on the host operating system, entering the indicated appropriate values in the variables at the top of the script:

    Enter certificate password – Replace with a password that will be used to create the certificate.

    Enter CN for client certificate – Replace with a common name for the client certificate, for example, client.decision.blueprism.com.

    Enter CA – Replace with the Certificate Authority common name, for example, decisionCA.

    Enter CN for server certificate – Replace with a common name for the server certificate. This must match with the Decision Model Service fully-qualified domain name (FQDN), for example, decision.blueprism.com. Or, if the Model Service is on the same server as Hub, use, for example, decision.local.

    • PowerShell script (Windows)
    • Bash script (Linux)

    Script for creating certificates in Windows

    Run PowerShell as an administrator and use the following script:

    Copy 
    $cred = Get-Credential -UserName 'Enter certificate password' -Message 'Enter certificate password'
    $mypwd = $cred.GetNetworkCredential().password
    $clientCN = Read-Host "Enter CN for client certificate"
    $CA = Read-Host "Enter CA"
    $serverCN = Read-Host "Enter CN for server certificate"

    echo Generate CA key:
    openssl genrsa -passout pass:$mypwd -des3 -out ca.key 4096

    echo Generate CA certificate:
    $CASubject = "/CN=" + $CA
    openssl req -passin pass:$mypwd -new -x509 -days 365 -key ca.key -out ca.crt -subj $CASubject

    echo Generate server key:
    openssl genrsa -passout pass:$mypwd -des3 -out server.key 4096

    echo Generate server signing request:
    $serverSubject = "/CN=" + $serverCN
    openssl req -passin pass:$mypwd -new -key server.key -out server.csr -subj $serverSubject

    echo Self-sign server certificate:
    openssl x509 -req -passin pass:$mypwd -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

    echo Remove passphrase from server key:
    openssl rsa -passin pass:$mypwd -in server.key -out server.key

    echo Generate client key
    openssl genrsa -passout pass:$mypwd -des3 -out client.key 4096

    echo Generate client signing request:
    $clientSubject = "/CN=" + $clientCN
    openssl req -passin pass:$mypwd -new -key client.key -out client.csr -subj $clientSubject

    echo Self-sign client certificate:
    openssl x509 -passin pass:$mypwd -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

    echo Remove passphrase from client key:
    openssl rsa -passin pass:$mypwd -in client.key -out client.key

    echo Generate pfx from client key:
    openssl pkcs12 -export -password pass:$mypwd -out client.pfx -inkey client.key -in client.crt

    The certificates are generated in the folder you created.

    To watch the Decision certification generation process, see our Blue Prism Decision Model Service installation video.

    Script for creating certificates in Linux

    Run the following Bash script:

    Copy 
    #!/bin/sh

    read -s -p 'Enter certificate password: ';
    CER_PWD=${REPLY};
    echo "";

    read -p 'Enter CN for client certificate: ';
    CLIENT_CN=${REPLY};
    #echo "";

    read -p 'Enter CA: ';
    CA=${REPLY};
    #echo "";

    read -p 'Enter CN for server certificate: ';
    SERVER_CN=${REPLY};
    #echo "";

    unset REPLY;

    echo Generate CA key:
    openssl genrsa -passout pass:$CER_PWD -des3 -out ca.key 4096

    echo Generate CA certificate:
    CA_SUBJECT="/CN=${CA}"
    openssl req -passin pass:$CER_PWD -new -x509 -days 365 -key ca.key -out ca.crt -subj $CA_SUBJECT

    echo Generate server key:
    openssl genrsa -passout pass:$CER_PWD -des3 -out server.key 4096

    echo Generate server signing request:
    SERVER_SUBJECT="/CN=${SERVER_CN}"
    openssl req -passin pass:$CER_PWD -new -key server.key -out server.csr -subj $SERVER_SUBJECT

    echo Self-sign server certificate:
    openssl x509 -req -passin pass:$CER_PWD -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

    echo Remove passphrase from server key:
    openssl rsa -passin pass:$CER_PWD -in server.key -out server.key

    echo Generate client key
    openssl genrsa -passout pass:$CER_PWD -des3 -out client.key 4096

    echo Generate client signing request:
    CLIENT_SUBJECT="/CN=${CLIENT_CN}"
    openssl req -passin pass:$CER_PWD -new -key client.key -out client.csr -subj $CLIENT_SUBJECT

    echo Self-sign client certificate:
    openssl x509 -passin pass:$CER_PWD -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

    echo Remove passphrase from client key:
    openssl rsa -passin pass:$CER_PWD -in client.key -out client.key

    echo Generate pfx from client key:
    openssl pkcs12 -export -password pass:$CER_PWD -out client.pfx -inkey client.key -in client.crt

    The certificates are generated in the folder you created.

    To watch the Decision certification generation process, see our Blue Prism Decision Model Service installation video.

  4. If you are using a Windows server, add the certificate as a trusted certificate on the local machine by running the following scripts:

    Copy 
    $scriptPath = (Get-Item .).FullName
    $crt = "$($scriptPath)\client.pfx"
    $mypwd = Get-Credential -UserName 'Enter password' -Message 'Enter password'
    Import-PfxCertificate -FilePath $crt -CertStoreLocation Cert:\LocalMachine\My -Password $mypwd.Password

    Copy 
    $scriptPath = (Get-Item .).FullName
    $crt = "$($scriptPath)\ca.crt"
    Import-Certificate -FilePath $crt -CertStoreLocation Cert:\LocalMachine\Root

If you are using different machines to host the Blue Prism Decision Model Service and Blue Prism Hub, you will need to ensure that:

  • The Decision Model Service host has the following files:
    • server.crt
    • server.key
    • ca.crt
  • The server running Blue Prism Hub has the following files:
    • client.crt
    • ca.crt