.. _sso-certificate-management: Manage certificates for SSO ------------------------------- .. _25.1|EKB-22368: .. tip:: :ref:`use-action-search-to-navigate-automate` .. _create-self-signed-or-3rd-party-certificate-sso: Create a self-signed or 3rd party certificate for SSO ....................................................... This procedure creates a self-signed or third-party-signed system certificate to use when setting up Single Sign-On (SSO) on the web proxy node on Automate. .. note:: * Web server certificate management is carried out on the Automate command line. Refer to the CLI documentation for details. * During customer onboarding, SSO certificate creation is customer-specific. 1. Log in as system administrator. #. Go to the **Certificates** page. #. Click **Add**. #. On the **Base** tab, configure the following: * Fill out a name (mandatory) and a description (optional) for the certificate. * Choose an option: * **Self-signed certificate**? For a self-signed certificate: * Clear the **Generate Certificate Signing Request** checkbox. * Define the certificate validity period. This is measured in seconds and defaults to 0 (now) and 315360000 (10 years), respectively. * **Third-party signed certificate**? * Select the **Generate Certificate Signing Request** checkbox. * At **Valid To**, define a value, in seconds, for how long the certificate is valid from the time it's generated. Default is 315360000 seconds (10 years). * At **Expires**, fill out an expiry date for the certificate, with format ``year-month-day-time```, for example: *2035-05-03T09:06:33Z* * (Optional) Change the **Key Length** from the default (2048). #. On the **Certificate Information** tab, configure the following: .. tabularcolumns:: |p{4cm}|p{6cm}| +---------------------+------------------------------------+ | Field | Description | +=====================+====================================+ | Common Name \* | Enter the FQDN for your server. | +---------------------+------------------------------------+ | Country Code \* | A two-digit country code | +---------------------+------------------------------------+ | State \* | An appropriate country subdivision | +---------------------+------------------------------------+ | City \* | Your city | +---------------------+------------------------------------+ | Organization \* | Your organization | +---------------------+------------------------------------+ | Organization Unit | Your organization subunit | +---------------------+------------------------------------+ 6. Click **Save**. .. note:: If you created a self-signed certificate, you can exit this procedure. If you requested a third-party-signed certificate, continue with the next steps. 7. On the **Certificates** list view, select the third-party-signed certificate you created. 8. From the toolbar overflow menu, select **Export Certificate Request**, then follow your organization's procedures to obtain the third-party signature for the certificate. 9. On the **Certificates** list view, select the certificate, then from the toolbar overflow menu, select **Upload Signed Certificate**. 10. Browse to the signed certificate, then click **OK**. .. _renew-single-sign-on-certificate-for-voss-4-uc: Renew single sign-on certificate for Automate ...................................................... If a customer's single sign-on certificate expires, this procedure renews the certificate for Automate. 1. Regenerate the certificate (either self-signed or CA signed) as described in :ref:`create-self-signed-or-3rd-party-certificate-sso`. #. Regenerate and upload SP metadata to the IdP described in :ref:`sso-sp-settings`. .. note:: If an expired SSO certificate is being renewed and the IdP metadata has *not* changed, then the download, configure, and upload of the IdP metadata is not required and these steps can be ignored.