SSO Connect Cloud

Custom SSL Certificate

How to configure Keeper Automator with a custom SSL certificate

Overview

Keeper Automator encrypts the communication between the Keeper backend and the Automator service running in the customer's environment.

If a custom certificate is not used, Keeper Automator will generate a self-signed certificate by default.

If SAML is configured to encrypt the request (not just signing), a custom SSL certificate is required.

You can obtain a quick, easy, and free SSL certificate at ZeroSSL. Or if you prefer to have more control over each step of the process, you can proceed with the following instructions.

Generate and Prepare the SSL Certificate

Keeper Automator requires a valid signed SSL certificate that has been signed by a public certificate authority. The process of generating an SSL certificate varies depending on the provider, but the general flow is documented here.

Follow these steps to create the two certificate files needed for automator to run, which must be named ssl-certificate.pfx and ssl-certificate-password.txt

(1) Using the openssl command prompt, generate a private key

openssl genrsa -out automator.key

(2) Generate a CSR, making sure to use the hostname which you plan to use for Automator. In this case, we will be using automator.lurey.com. The important item here is that the Common Name matches exactly to the domain.

openssl req -new -key automator.key -out automator.csr

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Illinois
Locality Name (eg, city) [Default City]:Chicago
Organization Name (eg, company) [Default Company Ltd]:Company, LLC
Organizational Unit Name (eg, section) []:Engineering
Common Name []:automator.yourcompany.com
Email Address []:webmaster@yourcompany.com

(3) Purchase an SSL certificate (or grab a free 90 day cert) and Submit the CSR to your SSL certificate provider.

Ensure that the SSL certificate created for your Automator instance is only used for this purpose. Do not use a wildcard certificate that is shared with other services.

If you don't have a provider already, you can use is: https://www.ssls.com/. The least expensive SSL cert for one domain is fine.

Choose a URL and create a certificate for a domain that is specific for Automator, e.g. automator.company.com.

The SSL certificate provider will deliver you a zip file that contains a signed certificate (.crt file) and intermediate CA cert. The bundle may be in either .crt or .ca-bundle file extension type. Unzip this file into the same location as your .key file that you created earlier.

(4) After the certificate has been issued, it needs to be converted using OpenSSL to .pfx format including the full certificate chain (root, intermediate and CA cert).

On Windows, make sure to launch the OpenSSL command prompt and navigate to the folder that has your files.

openssl pkcs12 -export -out ssl-certificate.pfx -inkey automator.key -in automator.yourcompany.com.crt -certfile automator.yourcompany.com.ca-bundle

Set your export password without special characters.

IMPORTANT: Don't use special characters in the export password.

Then create a new text file called ssl-certificate-password.txt and put the export password into that file and save it.

  • automator.key is the private key generated in step 1.

  • automator.yourcompany.com.crt is the signed certificate delivered in step 3.

  • automator.yourcompany.com.ca-bundle is the CA bundle

  • ssl-certificate.pfx is the output file used by Automator that has been encrypted with a password.

  • ssl-certificate-password.txt contains the password used to encrypt the .pfx file.

We recommend to save all 5 files in your Keeper vault.

Ensure that your .pfx file contains your issued cert AND the full certificate chain from your provider. If you don't provide a full certificate chain, the communication will fail and Automator will be unable to connect to your URL. To check the .pfx, use openssl: openssl pkcs12 -in ssl-certificate.pfx -info If the .pfx is correct, you will see 3 certificates.

If you only see one certificate, or if you see four or five certificates, the .pfx is incorrect and you need to repeat the process.

(5) Save ssl-certificate.pfx and ssl-certificate-password.txt for the deployment steps later in this guide.

Please also ensure that you have backed up the files in your Keeper vault so that you can refer to these later when updating the service or re-keying the certificate.

(6) Review the annual certificate update process documented below.

Using Windows

Generate and Prepare the SSL Certificate

Keeper Automator requires a valid signed SSL certificate that has been signed by a public certificate authority. We do not support self-signed certificates. The process of generating an SSL certificate varies depending on the provider, but the general flow is documented here.

Download and install OpenSSL. For convenience, a 3rd party (slproweb.com) has created a binary installer. A popular binary installer is linked below:

https://slproweb.com/products/Win32OpenSSL.html Install the version at the bottom labeled "Win32 OpenSSL vX.X.X Light"

During install, the default options can be selected. In the install process, you may be asked to also install a Microsoft Visual Studio extension. Go ahead and follow the instructions to install this extension before completing the OpenSSL setup.

Run the OpenSSL Command Prompt

In your Start Menu there will be an OpenSSL folder. Click on the Win32 OpenSSL Command Prompt.

Annual Renewal Process

On an annual basis, you will need to renew your SSL certificate. Most certificate providers will generate a new cert for you. After certificate renewal, replace the .pfx certificate file in your Automator instance and then restart the service. Refer to the specific automator install method documentation on the exact process for updating the file and restarting the service.

For environments using AD FS ...

If you are using Keeper Automator with AD FS as the identity provider, users will not be able to login until you update the Keeper certificate using the instructions below:

  • Login to the Keeper Admin Console

  • Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.

  • Click on "Export SP Cert".

  • In the AD FS Management Console select the Keeper Cloud SSO Relying Party Trust properties.

  • On the "Encryption" tab, replace the old certificate with this new cert.

  • On the "Signature" tab, Add/Replace the new SP certificate with this new cert.

If you are experiencing login issues after the certificate update

After certificate renewal, sometimes it is necessary to publish a new SP certificate in your identity provider following the below steps:

  • Login to the Keeper Admin Console

  • Go to Admin > SSO Node > Provisioning and then view the SSO Cloud configuration.

  • Click on "Export SP Cert" and save the certificate file.

  • Click on "Export Metadata" and save the metadata file, which also contains the certificate.

  • Login to your Identity Provider portal and view the SSO configuration for Keeper.

  • Upload Keeper's SP certificate file (or metadata, if required) following their instructions to update the Service Provider certificate and Save.

The reason for this, is because the Automator service essentially becomes the service provider. The SSL certificate generated by the customer is used in the signing process.

Azure and AWS Deployments

If you are updating the SSL certificate in an environment that utilizes application gateways or a load balancer with a custom domain that terminates SSL, you need to also update the certificate on that device.

  • For Azure deployments using an App Gateway, the .pfx certificate must also be updated in the https listener for the gateway. Go to your Azure > Resource groups > App Gateway > Listeners and upload the new certificate.

PreviousMulti-Tenant ModeNextAdvanced Settings

Last updated