Configuring ThingWorx Flow hostname (NGINX server) with CA-signed Certificate
If you have a dedicated private key and a certificate (crt) file with public key:
1. Make sure the CRT file is trusted by Certificate Authority and is base-64 encoded.
2. Stop the ThingWorxFlowNginx service.
3. Navigate to the following path:
<ThingWorx Flow Installation directory>\SSL
4. Copy the following files to a backup folder for recovery:
◦ orchestration.crt
◦ orchestration.key
◦ extra.crt
◦ nginx-keyfile
5. Replace the contents of the orchestration.crt file with the contents of the CRT file. This file may contain full chain certificate in PEM format in the order: Server, Intermediate, and Root. For more details, refer the note below.
 | In addition to the site certificate, it may be necessary to include the CA root and any intermediate certificates in the chain. The order of the certificates in the chain must be as follows: a. The first file in the chain must be your domain’s certificate. b. The second certificate in the chain must be the certificate of your certificate issuer, and so on up to root one. For example: -----BEGIN CERTIFICATE----- (Your Primary SSL certificate: your_domain_name.crt) -----END CERTIFICATE---- -----BEGIN CERTIFICATE----- (Your Intermediate certificate: DigiCertCA.crt) -----END CERTIFICATE---- ------BEGIN CERTIFICATE---- (Your Root certificate: TrustedRoot.crt) -----END CERTIFICATE-----
|
6. Copy the orchestration.crt to the extra.crt file. Make sure that orchestration.crt and extra.crt files are identical.
7. (Optional) It is recommended to change the encryption key for security reasons. Open the nginx-keyfile file to obtain the current encryption key value and change it. The value can be any string.
8. Using Keystore Explorer or openssl, encrypt the private key:
openssl rsa -aes256 -passout pass:<password in nginx-keyfile> -in <private.key> -out <encrypted_orchestration.key>
Where:
private.key–the filepath of the private key file
encrypted_orchestration.key–the filepath where the command output must save the encrypted private key
A new file, encrypted_orchestration.key, is created.
9. Replace the contents of orchestration.key file with the encrypted_orchestration.key file content.
10. Start the ThingWorxFlowNginx service.
| | If a self-signed certificate is created (for example. while replacing an expired self-signed certificate) instead of a CA-signed certificate, please refer to Regenerating a Self-Signed Certificate. |
If you want to use ThingWorx Flow certificate
1. Stop the ThingWorxFlowNginx service.
2. Open the Tomcat keystore.jks file in the Keystore Explorer.
3. Right-click on the keypair and select > .
4. Enter the Tomcat Key Pair Alias Password and click OK.
5. Select the type OpenSSL.
6. Enter the encryption password and PEM password in the fields.
7. Browse to any location and click Export.
| | This is the orchestration.key. The password created in step (6) is copied to nginx-keyfile. |
8. Right-click on the keypair and select Export Certificate Chain.
9. Browse to any location and click Export.
| | This file is orchestration.crt and contains the server certificate. |
10. Browse to ThingWorx Flow installation directory/SSL.
11. Move all the files in this folder to a backup folder.
12. Copy the following files to ThingWorx Flow installation directory/SSL:
◦ nginx.keyfile—Replace the content of the file with the password specified in step (6) while exporting the private key.
◦ extra.crt—Copy the orchestration.crt to the extra.crt file. After copying, make sure that orchestration.crt and extra.crt files are identical. This file contains full chain certificate in PEM format in the following order: Server, Intermediate, and Root.
13. Start the ThingWorxFlowNginx service.