# Create a Control Room Certificate on Windows ## Create the Certificate Watch this [YouTube video](https://youtu.be/LSP4wZfi-i8) from 0:30 to 3:47. Here are the written instructions: * Open PowerShell * Verify you have the PKI (Public Key Infrastructure) module by making sure the following command returns similar output: ``` $ Get-Command -Module PKI CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Add-CertificateEnrollmentPolicyServer 1.0.0.0 PKI Cmdlet Export-Certificate 1.0.0.0 PKI Cmdlet Export-PfxCertificate 1.0.0.0 PKI Cmdlet Get-Certificate 1.0.0.0 PKI Cmdlet Get-CertificateAutoEnrollmentPolicy 1.0.0.0 PKI Cmdlet Get-CertificateEnrollmentPolicyServer 1.0.0.0 PKI Cmdlet Get-CertificateNotificationTask 1.0.0.0 PKI Cmdlet Get-PfxData 1.0.0.0 PKI Cmdlet Import-Certificate 1.0.0.0 PKI Cmdlet Import-PfxCertificate 1.0.0.0 PKI Cmdlet New-CertificateNotificationTask 1.0.0.0 PKI Cmdlet New-SelfSignedCertificate 1.0.0.0 PKI Cmdlet Remove-CertificateEnrollmentPolicyServer 1.0.0.0 PKI Cmdlet Remove-CertificateNotificationTask 1.0.0.0 PKI Cmdlet Set-CertificateAutoEnrollmentPolicy 1.0.0.0 PKI Cmdlet Switch-Certificate 1.0.0.0 PKI Cmdlet Test-Certificate 1.0.0.0 PKI ``` * Create the certificate for you domain name (replace `DOMAIN_NAME` with your actual domain name, e.g. `my-controlroom.eastus.cloudapp.azure.com`): ``` New-SelfSignedCertificate -Subject "CN=DOMAIN_NAME" -FriendlyName "DOMAIN_NAME" -DnsName "DOMAIN_NAME" -NotAfter (Get-Date).AddMonths(36) -CertStoreLocation cert:\\LocalMachine\\My ``` * Open MMC (Microsoft Management Console) with the following command: ``` mmc ``` * Find the newly created certificate in MMC (easiest to follow along in YouTube video): * File > Add/Remove Snap-in… > Certificates > Add > Computer account > Next > Local computer > Finish > OK * Certificates (Local Computer) > Personal > Certificates > YOUR\_CERTIFICATE * Export the certificate to a file: * Right click on your cert > All Tasks > Export * From the “Certificate Export Wizard” * Yes, export the private key * Check “Include all certificates in the certification path if possible” * Uncheck “Enable certificate privacy” * Set password (anything should be fine) * File can go anywhere you want (used in the next step as `PFX_FILE_PATH`) * Finish ## Set the Certificate on the Server See [official Automation Anywhere source documentation](https://docs.automationanywhere.com/bundle/enterprise-v2019/page/enterprise-cloud/topics/deployment-planning/on-prem-install/cloud-config-control-room-https-import-cert.html). * Open PowerShell in administrator mode * Navigate to your AA installation path, probably `C:\Program Files\Automation Anywhere\Automation360` ``` cd "C:\Program Files\Automation Anywhere\Automation360" ``` * Run the following command (replace `AA_INSTALLATION_PATH` with the AA path from the last step, `PFX_FILE_PATH` with the file path set above and `PASSWORD` with the password set above): ``` jdk11\\bin\\java -jar certmgr.jar -appDir "AA_INSTALLATION_PATH" -setServerCert "PFX_FILE_PATH" -privateKeyPass PASSWORD ``` * Restart the “Automation Anywhere Control Room Reverse Proxy” service (see [here](https://kb.wisc.edu/helpdesk/page.php?id=36667)) * Navigate to your Control Room URL (on any machine) and notice it’s using the new certificate. However, it’s still not trusted. See the next section to trust it. ## Trust the Certificate on the Client See [official Automation Anywhere source documentation](https://docs.automationanywhere.com/bundle/enterprise-v2019/page/enterprise-cloud/topics/deployment-planning/on-prem-install/cr-self-signed-certificate-java-credential-store.html).