Skip to main content
Universal Policy Administrator Documentation
< All Topics
Print

Updating the UPA SSL Certificates

The UPA SSL certificate must be updated in two locations:

  1. The nginx application gateway, where the copy of the certificate must be in PEM format.
  2. The IIS website, where the copy of the certificate must be in PFX (PKCS #12) format.
Converting certificate format

You must have both the PFX and PEM format of the certificate to proceed.  The PEM private key file must not be encrypted.

Convert PFX to PEM

If the new certificate is in PFX format, you can run the following commands to convert it to PEM format:

  1. cd "%PROGRAMFILES%\OpenText\AD Bridge\Gatekeeper\nginx”
  2. openssl pkcs12 -in “<path_to_pfx_file>” -out “%temp%\certificate.crt” -nokeys -clcerts
  3. openssl pkcs12 -in “<path_to_pfx_file>” -out “%temp%\new_cert.encrypted.key” -nocerts
  4. openssl rsa -in “%temp%\new_cert.encrypted.key” -out “%temp%\privatekey.pem”

If the PFX file is password protected, you will be prompted to enter the PFX password in steps 2 and 3. In step 3, you will be prompted to create a new password for the private key, and in step 4 you will be prompted to enter that password to create the unencrypted private key.

This will create the files certificate.crt and privatekey.pem in the user’s temporary directory.

Convert PEM to PFX

If the new certificate is in PEM or DER format – usually a .crt and a key file – you can run the following commands to convert it to a PFX:

  1. cd "%PROGRAMFILES%\OpenText\AD Bridge\Gatekeeper\nginx”
  2. openssl pkcs12 -export -out “%temp%\new_cert.pfx” -inkey “<path_to_private_key_file>” -in “<path_to_crt_file>

You will be prompted to create a password for the PFX, take note of this password to use later. 

This  will create the file new_cert.pfx in the user’s temporary directory.

Install PEM to nginx

In windows explorer, browse to %TEMP% and copy the certificate.crt and privatekey.pem files into the %PROGRAMDATA%\OpenText\AD Bridge\nginx folder.  Overwrite the existing files when prompted.  Restart the “AD Bridge nginx” windows service.

Install PFX to IIS
  1. Open IIS Manager.
  2. At the root server node, select the Server Certificates page.
  3. In the Actions pane on the right, select “Import…”
  4. Browse to the new_cert.pfx file in the %TEMP% folder and import it.  Use the password you specified above, when prompted.
  5. Select the AD Bridge Gatekeeper site in IIS.
  6. In the Actions pane on the right, select “Bindings…”
  7. Select the https binding and click the Edit button.
  8. In the SSL certificate dropdown, select the new certificate, and click OK.
In This Article