SSL certificate renewal automation
The SSL certificate is a key component of the solution as it ensures that the communication between the SaaS applications and UserLock SSO are safe. SSL certificates can now be generated for free, thanks to the initiative of the Internet Security Research Group (ISRG) and their service Let's Encrypt.
Although free, SSL certificates generated by Let's Encrypt have a limited lifetime (3 months) and require to be updated frequently to keep UserLock SSO working. However, several tools exist to automate this operation and we will detail here how to use the tool from Certify The Web as it provides everything we need to perform the automatic update of the SSL certificate.
- Download and install the Certify Certificate Manager tool from https://certifytheweb.com/
- Request a certificate using the documentation (https://docs.certifytheweb.com/docs/certificate-process).
- At the Deployment step, select "Certificate Store Only". By doing so, the certificate will be stored in the right place after having been generated.
- At the Tasks step, add a new Task and scroll down to select Run Powershell Script
- Name it UserLock SSO Binding or any other meaningful name and set the Trigger to Run On Success
- Create a file named UserLockSSOBinding.ps1 in a folder accessible from any account (C:\ProgramData\ISDecisions\UserLock\SSO\CertifyTheWeb for instance)
Copy the following contents in this file and update the $hostname and $port variables
# Use your UserLock SSO hostname and port as defined in the UserLock Console
$hostname = "sso.mydomain.com"
$port = 444
# Always useful to log
$logFile = "UserLockSSOBindingScript.log"
Write-Host "$(Get-Date) - Starting Post Certificate Generation Deployment Task"
# Check whether the generation was OK
Write-Host "$(Get-Date) - Certificate Generated: $($result.IsSuccess)"
Write-Host "$(Get-Date) - Certification generation failed => Exiting"
# Get the certificate thumbprint
$cert = $($result.ManagedItem.CertificateThumbprintHash)
Write-Host "$(Get-Date) - Certificate Thumbrint: $($cert)"
# Create a random Guid that will be used with netsh command
$guid = [guid]::NewGuid().ToString("B")
# Remove previous binding
Write-Host "$(Get-Date) - Removing binding for $($hostname):$port"
netsh http delete sslcert hostnameport=$($hostname):$port
# Create new binding
Write-Host "$(Get-Date) - Binding certificate $($cert) to $($hostname) with appId $($guid)"
netsh http add sslcert hostnameport="$($hostname):$($port)" certhash=$cert certstorename=MY appid="$($guid)"
# Stop the logging
- In Task Parameters tab, set the whole path of the script in the Program/Script field and click OK
- Save the configuration, test it and generate the first certificate. If there are any problems, check the log file.
You can verify that the new certificate is correctly installed by navigating to your UserLock SSO instance from a browser. Here you can check the certificate.