How to update expire Aras certifies

Hi Haider and Hkhan,

were you able to find a solution for this one?

I need to find a solution...till 2024. So there is no real hurry. But I think this topic will become relevant for many users who don´t update on a regular basis. So it´s better to be prepared.

I haven´t done any tests regarding custom certificates yet. And so far I haven´t seen any document related to certificates in https://www.aras.com/support/documentation/ . Not sure if Aras is aware of the issue. 

IMPORTANT: For anyone who came across this post by accident: If you use the same Innovator 12+ instance for around 2 years, check the validity of your certificates. You might be affected by the topic of this post too. 

Hope this posts gets more attention.

Thanks again for bringing up the topic!

Angela

Hello Angelalp,

I contacted Aras for help and the following is the solution they provided 

To generate new certificates:

1. Download from the FTP site i have added to this page 
2. Open a command prompt window as Administrator
3. Navigate to the folder containing CreateOAuthCertificates.bat
4. Execute the following command to generate certificates:

            CreateOAuthCertificates.bat <ServerName> <Password>

   Where:

ServerName – the name of the server for which a certificate should be generated (OAuthServer, InnovatorServer, VaultServer, AgentService, SelfServiceReporting).

Password – the password for the private certificate.

Note: Each run of the batch file generates a pair of certificates in the {Current_Directory}\Output\ directory, for example: OAuthServer.cer (public certificate) and OAuthServer.pfx (private certificate protected by the password). You will need to run this for each part of the application components.

Once the Certificates have been created copy them the corresponding directories.

Deploying the OAuthServer Certificates:

• Copy OAuthServer.pfx to OAuthServer\App_Data\Certificates\
• Copy the OAuthServer.pfx to the following folders:
  • OAuthServer\App_Data\Certificates\
  • Innovator\Server\App_Data\Certificates\
  • SelfServiceReporting\App_Data\Certificates\
  • VaultServer\App_Data\Certificates\
• Specify the password in oauth\server\tokenSigning\certificate\@password attribute of OAuthServer\OAuth.config file.

Deploying the Aras Innovator Server Certificates

• Copy InnovatorServer.pfx to Innovator\Server\App_Data\Certificates\.
• Copy InnovatorServer.cer to OAuthServer\App_Data\Certificates\.
• Specify password in oauth\client\secret\certificate\@password attribute of Innovator\Server\OAuth.config file.

Deploying the Vault Server Certificates:

• Copy VaultServer.pfx to VaultServer\App_Data\Certificates\.
• Copy VaultServer.cer to OAuthServer\App_Data\Certificates\.
• Specify password in oauth\client\secret\certificate\@password attribute of VaultServer\OAuth.config file.

Deploying the Agent Service Certificates

• Copy AgentService.pfx to AgentService\App_Data\Certificates\.
• Copy AgentService.cer to OAuthServer\App_Data\Certificates\.
• Specify password in oauth\client\secret\certificate\@password attribute of AgentService\OAuth.config file.

Deploying the Self Service Reporting Certificates:

• Copy SelfServiceReporting.pfx to SelfServiceReporting\App_Data\Certificates\.
• Copy SelfServiceReporting.cer to OAuthServer\App_Data\Certificates\.

Specify password in oauth\client\secret\certificate\@password attribute of SelfServiceReporting\OAuth.config file.

Hello Angelalp,

I contacted Aras for help and the following is the solution they provided 

To generate new certificates:

1. Download from the FTP site i have added to this page 
2. Open a command prompt window as Administrator
3. Navigate to the folder containing CreateOAuthCertificates.bat
4. Execute the following command to generate certificates:

            CreateOAuthCertificates.bat <ServerName> <Password>

   Where:

ServerName – the name of the server for which a certificate should be generated (OAuthServer, InnovatorServer, VaultServer, AgentService, SelfServiceReporting).

Password – the password for the private certificate.

Note: Each run of the batch file generates a pair of certificates in the {Current_Directory}\Output\ directory, for example: OAuthServer.cer (public certificate) and OAuthServer.pfx (private certificate protected by the password). You will need to run this for each part of the application components.

Once the Certificates have been created copy them the corresponding directories.

Deploying the OAuthServer Certificates:

• Copy OAuthServer.pfx to OAuthServer\App_Data\Certificates\
• Copy the OAuthServer.pfx to the following folders:
  • OAuthServer\App_Data\Certificates\
  • Innovator\Server\App_Data\Certificates\
  • SelfServiceReporting\App_Data\Certificates\
  • VaultServer\App_Data\Certificates\
• Specify the password in oauth\server\tokenSigning\certificate\@password attribute of OAuthServer\OAuth.config file.

Deploying the Aras Innovator Server Certificates

• Copy InnovatorServer.pfx to Innovator\Server\App_Data\Certificates\.
• Copy InnovatorServer.cer to OAuthServer\App_Data\Certificates\.
• Specify password in oauth\client\secret\certificate\@password attribute of Innovator\Server\OAuth.config file.

Deploying the Vault Server Certificates:

• Copy VaultServer.pfx to VaultServer\App_Data\Certificates\.
• Copy VaultServer.cer to OAuthServer\App_Data\Certificates\.
• Specify password in oauth\client\secret\certificate\@password attribute of VaultServer\OAuth.config file.

Deploying the Agent Service Certificates

• Copy AgentService.pfx to AgentService\App_Data\Certificates\.
• Copy AgentService.cer to OAuthServer\App_Data\Certificates\.
• Specify password in oauth\client\secret\certificate\@password attribute of AgentService\OAuth.config file.

Deploying the Self Service Reporting Certificates:

• Copy SelfServiceReporting.pfx to SelfServiceReporting\App_Data\Certificates\.
• Copy SelfServiceReporting.cer to OAuthServer\App_Data\Certificates\.

Specify password in oauth\client\secret\certificate\@password attribute of SelfServiceReporting\OAuth.config file.

Hi Hkhan,

many thanks for sharing this information! I made a quick test and the resulting certs lock fine.

I am a little bit proud that my earlier openssl idea wasn´t so wrong at all. It´s exactly the same concept that Aras uses.

Best wishes!

Angela

Thanks so much for posting this answer. Our production Innovator server ran into this problem yesterday - the symptom from the users was an HTTP 500 error when accessing files from the Vault which had been fine minutes before. After a lot of head-scratching I traced it back to a failing OAuth token request, and then the expired certificates.

Aras really need to add this information and that certificate generator more clearly somewhere, or better yet have the installer create a scheduled task. That was a stressful night!

When I have read the "harmlessly phrased" question the first time one month ago, my face got white and chills ran down my back. I was really scared after I checked the certificates of my old server. Thanks for confirming the disaster!

I agree that Aras should publish something "official" regarding the certificates. I will try to reach somebody. Or I write something by myself in cause they don´t react.