Manage certificates for SSO#

Create a self-signed or 3rd party certificate for SSO#

This procedure creates a self-signed or third-party-signed system certificate to use when setting up Single Sign-On (SSO) on the web proxy node on Automate.

Note

  • Web server certificate management is carried out on the Automate command line. Refer to the CLI documentation for details.

  • During customer onboarding, SSO certificate creation is customer-specific.

  1. Log in as system administrator.

  2. Go to the Certificates page.

  3. Click Add.

  4. On the Base tab, configure the following:

    • Fill out a name (mandatory) and a description (optional) for the certificate.

    • Choose an option:

      • Self-signed certificate? For a self-signed certificate:

        • Clear the Generate Certificate Signing Request checkbox.

        • Define the certificate validity period. This is measured in seconds and defaults to 0 (now) and 315360000 (10 years), respectively.

      • Third-party signed certificate?

        • Select the Generate Certificate Signing Request checkbox.

        • At Valid To, define a value, in seconds, for how long the certificate is valid from the time it’s generated. Default is 315360000 seconds (10 years).

    • At Expires, fill out an expiry date for the certificate, with format year-month-day-time`, for example: 2035-05-03T09:06:33Z

    • (Optional) Change the Key Length from the default (2048).

  5. On the Certificate Information tab, configure the following:

    Field

    Description

    Common Name *

    Enter the FQDN for your server.

    Country Code *

    A two-digit country code

    State *

    An appropriate country subdivision

    City *

    Your city

    Organization *

    Your organization

    Organization Unit

    Your organization subunit

  1. Click Save.

    Note

    If you created a self-signed certificate, you can exit this procedure. If you requested a third-party-signed certificate, continue with the next steps.

  2. On the Certificates list view, select the third-party-signed certificate you created.

  3. From the toolbar overflow menu, select Export Certificate Request, then follow your organization’s procedures to obtain the third-party signature for the certificate.

  4. On the Certificates list view, select the certificate, then from the toolbar overflow menu, select Upload Signed Certificate.

  5. Browse to the signed certificate, then click OK.

Renew single sign-on certificate for Automate#

If a customer’s single sign-on certificate expires, this procedure renews the certificate for Automate.

  1. Regenerate the certificate (either self-signed or CA signed) as described in Create a self-signed or 3rd party certificate for SSO.

  2. Regenerate and upload SP metadata to the IdP described in Configure Self-service SSO SP settings.

    Note

    If an expired SSO certificate is being renewed and the IdP metadata has not changed, then the download, configure, and upload of the IdP metadata is not required and these steps can be ignored.