Skip to main content
Skip table of contents

How to replace an SSL certificate on the RPI application server

This information is only relevant to RPI v6 and earlier.

Overview

The follow procedure describes the steps needed to replace an SSL certificate on an RPI application server.

This article is intended for Redpoint Interaction system administrators.

Step 1: Import the new SSL certificate on the Windows server where RPI is installed

Make sure MMC and the Certificate snap-in are available

To ensure MMC and the Certificate snap-in are available:

  1. On the Windows Server computer, select Start and type mmc.exe.

  2. In the MMC window, go to File>Add/Remove Snap-in.

  3. In the Add or Remove Snap-ins window, select Certificates and choose Add.

  4. In the Certificates snap-in window, select Computer account.

  5. Choose Next.

  6. Select Local computer.

  7. Choose Finish.

  8. In the Add or Remove snap-in window, select OK.

Import the signed certificate into the certificate store

To import the signed certificate into the certificate store:

  1. In the MMC window on the Windows Server host, expand the Certificates (Local Computer) node and select the Personal folder.

  2. In the Actions pane, go to More Actions>All Tasks>Import.

  3. In the Certificate Import wizard, select Next and browse to the location where the certificate is stored.

  4. Select the certificate file and select Open.

 To display your certificate file type, you can select its file format from the File name drop-down menu.

  1. Type the password for the private key that is included in the certificate file.

  2. Select Mark this key as exportable.

  3. Choose Include all extendable properties.

  4. Select Next.

  5. Choose Finish.

The new certificate appears in the Certificates (Local Computer) > Personal > Certificates folder.

To verify that the new certificate contains a private key:

  1. Go to the Certificates (Local Computer)>Personal>Certificates folder.

  2. Double-click the new certificate.

  3. In the General tab of the Certificate Information dialog box, verify that the following statement appears: “You have a private key that corresponds to this certificate”.

Step 2: Add the new certificate to the RPI website bindings

To add the new certificate to the RPI website bindings:

  1. Launch IIS Manager and navigating to Server Certificates. The certificate imported in the previous section should be listed and show up as valid.

  2. Expand the Sites node in IIS, then right-click on RPIWebSite.

  3. Choose Edit Bindings…

  4. Select the https entry.

  5. Choose Edit.

  6. Select the new SSL certificate from the SSL certificate drop down box.

Step 3: Determine the thumbprint for the new SSL cert and add it to RPI configuration files

To determine the thumbprint for the new SSL cert and add it to the RPI configuration files:

  1. Launch IIS Manager and double-click on Server Certificates.

  2. Double-click on the new SSL cert entry to bring up the properties dialog.

  3. Select the Details tab and then scroll down to and select the Thumbprint property.

  4. Select and copy the thumbprint and copy into a text editor and remove all the space. For example, if this is the raw value of the thumbprint after copying out of the Certificate properties dialog: 33 7d 29 db c5 f3 59 6d 0f e3 af 87 87 6f 0b 68 b7 e0 2b 9f. Then take out all the spaces so the final value appears as below, keeping an eye out for odd characters added by notepad, etc. such as question marks, copy and paste the new value into a command prompt to validate: 337d29dbc5f3596d0fe3af87876f0b68b7e02b9f.

  5. For the following configuration file, open it up as Administrator with a text editor. Find the XML tag that looks like the line below, then replace the old thumbprint with the new one obtained above: <serviceCertificate findValue="old 40-Character-Thumbprint" x509FindType="FindByThumbprint" />
    Config File: \RedPoint Global\RedPoint Interaction\Node anager\Resonance.NodeManagerService.exe.config

Then update the columns [ServerName] & [ExternalServerName] within [Pulse].[dbo].[rpi_ClusterNodes] to match the SSL Cert friendly name.

Step 4: Use NETSH to delete the old certificate binding on port 8000* or port 8180* and then add the new one

The node manager port is typically 8000 for older RPI versions and 8180 for newer RPI versions. If you are unsure which port node manager is using then you can run this query against the Pulse database to determine for sure which port it is: 
SELECT NodeManagerPortNumber FROM rpi_ClusterNodes
Adjust the port value in the steps below accordingly. 

  1. Open up an administrator command prompt on your Windows RPI server.

  2. Remove the old certificate binding by issuing the following command: netsh http delete sslcert ipport=0.0.0.0:8180.

  3. Add the new binding by issuing this command, ensuring to replace the "40-Character-Thumbprint" string with your new cert thumbprint: netsh http add sslcert ipport=0.0.0.0:8180 certhash=40-Character-Thumbprint appid={43ca8e8f-5ba3-4ce4-b9f8-bcdbca571060}.

  4. Restart IIS by using this command from the command prompt: iisreset.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close