The certificates that are used in Atomia, their roles, and how to generate new ones.
Certificates and their roles
Certificates are an important part of Atomia and are used to keep the communication between applications secure. This section will describe the different types of certificates used within Atomia.
All Atomia applications have their own certificates which are used to identify the application when communicating with other parts of Atomia. These certificates are defined in their respective applications web.config in the <serviceCertificate> section and are identified by the certificate subject. More information about the function of these certificates can be found here. The following certificates exist in this category (we are assuming the domain for your Atomia environment is myatomia.com):
The GUI applications use a shared certificate for authentication purposes.
All authentication tokens created by AtomiaIdentity are signed and later validated using a signing certificate.
Passwords and other private data stored within the Automation Server and Atomia Billing are encrypted using two encryption certificates. These certificates are normally not replaced. However, if these for any reason need to be replaced all values have to be re-encrypted with an application that Atomia provides upon request.
All Atomia frontend applications are served via https. A wildcard certificate is normally used for this purpose.
- *.myatomia.com (wildcard)
Generating new certificates
By default Atomia generates a set of self signed certificates with an expiration time of ~10 years. If you for any reason need to generate new certificates there are a few things to consider.
With this in mind, generating new certificates to replace the current ones is done by following the following procedure:
- Clone the puppet-atomia repository from https://github.com/atomia/puppet-atomia.git.
- Navigate to files/certificates.
- Execute the following command:
- Invoke the script generate_certificates.rb with parameters <appdomain> <login> <order> <billing> <hcp> <environment>. This generates your new certificates to /etc/puppet/atomiacerts/atomia.
- For example:
ruby generate_certificates.rb mydomain.com login order billing my atomia
Where mydomain.com is the domain used for your Atomia applications and login, order, and billing, whereas my stands for the sub domains used for the respective applications.
- For example:
- Copy the pfx certificates to your Windows servers that are running the Atomia applications.
mkdir -p /etc/puppet/atomiacerts/
Generating certificates during scheduled maintenance
The instructions below this point will disrupt the normal functionality of your Atomia applications and should only be performed during scheduled maintenance.
- On the Windows servers open the certificate manager and navigate to the Personal certificate store.
- Replace the old certificates one by one with the new certificates you generated previously. The replacement is done as follows:
- Click a certificate and press delete.
- Go to File > Import and import the new certificate with the same name.
- When all the certificates in the list (except the encryption certificates) are replaced, change to the Trusted People certificate store and replace the two certificates available there as well.
- Finally go to the Trusted Root Certificate store and replace the Atomia Root Certificate with your newly generated root cert.
- If you did not perform the puppet run above you should now manually update the thumbprints of the certificates in the Atomia INI configuration file located in C:\Program Files (x86)\Atomia\Common\unattended.ini.
- Replace RootCertThumb with the thumbprint of the new root certificates. These can be found by double clicking the root certificate in the certificate manager and clicking Details and finding the value for the Thumbprint field.
- Replace SigningCertThumb with the thumbprint of the stssigning certificate.
- Save the file.
- Go to C:\install and run the powershell script:
- Restart IIS.
- Make sure all the steps above are done on all servers running the Atomia applications.