Regenerating a Self-Signed Certificate
Run the following commands to regenerate the orchestration.csr and orchestration.crt files in the <ThingWorx_Flow_Install_Location>/SSL directory:
1. Back up the <ThingWorx_Flow_Install_Location>/SSL directory.
2. Delete all files under the <ThingWorx_Flow_Install_Location>/SSL directory.
3. Using the openssl utility, run the following commands to generate the certificates:
◦ <openssl_cmd> req -nodes -sha256 -newkey rsa:2048 -config <openssl_conf> -keyout "<ThingWorx_Flow_Install_Location>/SSL/orchestration.key" -subj "/C=<C>/O=<O>/OU=<OU>/CN=<CN>" -out "<ThingWorx_Flow_Install_Location>/SSL/orchestration.csr"
◦ <openssl_cmd> x509 -req -days 365 -sha256 -in "<ThingWorx_Flow_Install_Location>/SSL/orchestration.csr" -signkey "<ThingWorx_Flow_Install_Location>/SSL/orchestration.key" -out "<ThingWorx_Flow_Install_Location>/SSL/orchestration.crt"
, where
<C>—Country name (2 letter code)
<O>—Organization Name (For example, company)
<OU>—Organizational Unit Name (For example, section)
<CN>—Common Name (e.g., server FQDN) The fully-qualified domain name (For example, win-f3ai9djq75j)
<openssl_cmd>—Windows: Run cd C:/opscode/chef/embedded/bin/openssl or cd C:/cinc-project/cinc/embedded/bin, type openssl, and run the above command.
Linux: Type openssl, and run the above command.
<openssl_conf>—Windows: C:/opscode/chef/embedded/ssl/openssl.cnf or C:/cinc-project/cinc/embedded/ssl/openssl.cnf
Linux: /etc/pki/tls/openssl.cnf
For example:
Windows—C:/opscode/chef/embedded/bin/openssl req -nodes -sha256 -newkey rsa:2048 -config C:/opscode/chef/embedded/ssl/openssl.cnf -keyout "C:\orchestration.key" -subj "/C=US/O=PTC/OU=IT Department/CN=WIN-F3AI9DJQ75J" -out "C:\orchestration.csr"
Windows—C:/opscode/chef/embedded/bin/openssl x509 -req -days 365 -sha256 -in "C:\PROGRA~1\twx\THINGW~2/SSL/orchestration.csr" -signkey "C:\orchestration.key" -out "C:\orchestration.crt"
4. For ThingWorx Flow 9.1.0 and later, and ThingWorx Flow 9.0.3 and later:
a. Under the <ThingWorx_Flow_Install_Location>/SSL folder, create the nginx-keyfile file, and a new password for the encrypted private key.
b. Using the openssl utility, run the following command to encrypt the nginx private key:
<openssl_cmd> rsa -aes256 -passout pass:<Same password as defined in the nginx-keyfile> -in "<ThingWorx_Flow_Install_Location>/SSL/orchestration.key" -out "<ThingWorx_Flow_Install_Location>/SSL/orchestration_enc.key"
c. Delete orchestration.key and rename orchestration_enc.key to orchestration.key.
5. (Linux only) Set the following permissions:
◦ sudo chown flowuser:flowuser <ThingWorx_Flow_Install_Location>\SSL\orchestration.crt, where flowuser is the user that ran the ThingWorx Flow installer.
◦ sudo chown flowuser:flowuser <ThingWorx_Flow_Install_Location>\SSL\orchestration.key
, where flowuser is the user that ran the ThingWorx Flow installer.
◦ sudo chcon -t httpd_sys_content_t <ThingWorx_Flow_Install_Location>\SSL\orchestration.crt
◦ sudo chcon -t httpd_sys_content_t <ThingWorx_Flow_Install_Location>\SSL\orchestration.key
◦ For ThingWorx Flow 9.1.0 and ThingWorx Flow 9.03 and later:
▪ sudo chown flowuser:flowuser <ThingWorx_Flow_Install_Location>/SSL/nginx-keyfile
, where flowuser is the user that ran the ThingWorx Flow installer.
▪ sudo chcon -t httpd_sys_content_t <ThingWorx_Flow_Install_Location>/SSL/nginx-keyfile
6. Change the extra.crt file located in <ThingWorx Flow Installation directory>\SSL folder and replace the content of the first certificate with new self-signed certificate content.
7. Restart the RabbitMQ, ThingWorx-Flow, Nginx, and ThingWorx-Foundation services.