Install Certificates on older Operating Systems

You can create certificates on a Windows 10 or Windows Server 2016 machine and transfer them to a machine with an older operating system.

About this task

If you would like to use valid, self-signed certificates for a Workflow installation on an operating system other than Windows 10 or Windows Server 2016, you can do the following:
  1. Manually generate the certificates using Powershell New-SelfSignedCertificate on a Windows 10 or Windows Server machine.
  2. Export the certificates using MMC.
  3. Import the certificates to the selected Workflow server machine using Workflow ConfigureCertificates.
  4. Import the SSL certificate using Workflow ConfigureCertificates.

Procedure

  1. Manually generate the certificates on a Windows 10 or Windows Server 2016 machine.
    1. Use the following New-SelfsignedCertificate parameters to generate the certificates:
      Certificate NameNew-SelfSignedCertificate command parameters
      ProficySelfSignedCANew-SelfSignedCertificate -CertStoreLocation "cert:LocalMachine\My" -DnsName "ProficySelfSignedCA" -FriendlyName "ProficySelfSignedCA" -HashAlgorithm SHA256 -KeyExportPolicy Exportable -KeyLength 2048 -KeySpec KeyExchange -KeyUsage CertSign, CRLSign, DigitalSignature -KeyUsageProperty All -NotAfter $([datetime]::now.AddYears(3)) -Subject "CN=ProficySelfSignedCA"
      ProficySTS

      $proficyCACert = Get-ChildItem -Path cert:\LocalMachine\My | ?{$_.Subject -eq "CN=ProficySelfSignedCA"}

      New-SelfSignedCertificate -CertStoreLocation "cert:LocalMachine\My" -DnsName "ProficySTS" -FriendlyName "ProficySTS" -HashAlgorithm SHA256 -KeyExportPolicy Exportable -KeyLength 2048 -KeySpec KeyExchange -NotAfter $([datetime]::now.AddYears(3)) -Signer $proficyCACert -Subject "ProficySTS"
      ProficyPlatform

      $proficyCACert = Get-ChildItem -Path cert:\LocalMachine\My | ?{$_.Subject -eq "CN=ProficySelfSignedCA"}

      New-SelfSignedCertificate -CertStoreLocation "cert:LocalMachine\My" -DnsName "ProficyPlatform" -FriendlyName "ProficyPlatform" -HashAlgorithm SHA256 -KeyExportPolicy Exportable -KeyLength 2048 -KeySpec KeyExchange -NotAfter $([datetime]::now.AddYears(3)) -Signer $proficyCACert -Subject "ProficyPlatform"
      SSL certificate

      $proficyCACert = Get-ChildItem -Path cert:\LocalMachine\My | ?{$_.Subject -eq "CN=ProficySelfSignedCA"}

      New-SelfSignedCertificate -CertStoreLocation "cert:LocalMachine\My" -DnsName "localhost","<ipAddress>" -FriendlyName "localhost" -HashAlgorithm SHA256 -KeyExportPolicy Exportable -KeyLength 2048 -KeySpec KeyExchange -NotAfter $([datetime]::now.AddYears(3)) -Signer $proficyCACert -Subject "<hostname>"

      Where <ipAddress> and <hostname> are the IP Address and the Hostname of the Workflow application server machine.
    2. Run Powershell as an administrator to create the certificates.
  2. Export the certificates from the Local Computer > Personal store, using the Microsoft Management Console (MMC) certificate snap-in.
    1. For each certificate, select export the private key.
    2. On the Export File Format dialog, select Personal Information Exchange - PKCS #12 (.PFX) format.
    3. Uncheck the Include all certificates in the certification path if possible check box.
    4. Check the Export all extended properties check box.
    5. Export all of the certificates to the same directory, naming each .pfx file with the certificate name (Issued To) of the certificate it contains. Use the same password for each certificate.
    6. Combine the certificates into a .zip file and copy the .zip file to the Workflow server machine.
    7. Unzip the file for use.
    Note:
    • If you leave the Include all certificates in the certification path if possible check box selected, the ProficySelfSignedCA cert is re-imported into the Local Machine > Personal store when you import the SSL certificate in a later step. You will then have to remove it.
    • Exporting using the same password and naming each file with the Issued To name is mandatory for importing on the Workflow application server using ConfigureCertificates.
  3. Import the certificates using Workflow ConfigureCertificates.
    1. On the selected Workflow server, run:
      C:\Program Files (x86)\Proficy\Proficy Workflow\Program\ConfigureCertificates.exe
    2. Select the Import Certificates option.
    3. Select the .zip file you copied for importing (not the individual .pfx files).
      The three Proficy certificates are imported from the .zip files into the correct locations.
    4. Click Save.
      Once saved, an SSL certificate is generated and bound to the Workflow ports. This SSL certificate must be removed before proceeding to the next step.
    5. Using MMC, remove the SSL certificate from the LocalMachine > Personal store. You will replace this certificate in the next step.
  4. Import the SSL certificate using Workflow ConfigureCertificates.
    1. On the selected Workflow server, run:
      C:\Program Files (x86)\Proficy\Proficy Workflow\Program\ConfigureCertificates.exe
    2. Select Use the certificates already installed on this server option.
    3. Select the Enable certificate import for advanced configuration check box.
    4. Click the ellipses () in the Import column for the SSL/TLS Server Certificate, and browse to the folder containing the exported certificates.
    5. Select the SSL certificate. This is the certificate with the Issued To equal to the Workflow application server hostname.
      Note: You may need to change the file browser selection from .cer to All Files to see .pfx file.
    6. Follow the prompts to import the SSL/TLS Server Certificate.
    7. Click Save to bind the Workflow ports to this certificate.