Generating and installing user certificates

  • Release version: Australia
  • Updated March 12, 2026
  • 8 minutes to read

    • You can generate and install a user certificate for client authentication and code signing in your Windows machine, if you have the admin role.

    Client authentication

    Client authentication enables mutual TLS (mTLS) authentication between the Unattended Robot application and the ServiceNow server while making a connection.

    You can either generate and install user certificates or export active directory certificates.

    Code signing certificate
    A code signing certificate is used for signing and verifying the automation packages from RPA Desktop Design Studio. This certificate detects any tampering or corruption of scripts before they're run.

    The code signing certificate is validated during the Unattended Robot and Attended Robot executions.

    If you don't have the active directory certificates, do the tasks in the following topics to generate and install user certificates. For more information, see Exporting Microsoft Active Directory certificates.

    Generate a user certificate from KeyStore Explorer

    Generate a user certificate for secure client authentication and code signing in your Windows machine using the KeyStore Explorer application. This reference procedure is one of many methods to generate a user certificate.

    Before you begin

    Do this task in your Windows machine.

    If user certificates are generated by your organization, then you can skip this procedure. You can proceed with installing the user certificate.

    If user certificates are not generated by your organization, you can either use this procedure or any other procedure to generate a client authentication certificate.

    Role required: admin

    About this task

    Important:
    The following procedure is for reference only. The steps may vary, depending on how certificates used within your organization are generated. Consult your IT administrator for more details.

    You can install the KeyStore Explorer application in your Windows machine and then generate a client authentication and code signing certificate from the KeyStore Explorer application. Skip this task, if you already have these certificates.

    Generate a client authentication certificate for authenticating the Unattended Robot application.

    Generate a code signing certificate for publishing an automation project from RPA Desktop Design Studio.

    Procedure

    1. Navigate to https://keystore-explorer.org/downloads.html.
    2. Download the latest setup.exe file for the Windows machine.
    3. To install the KeyStore Explorer, do the following actions:
      1. Open the downloaded setup.exe file.
      2. In the Select Setup Language dialog box, select a language to use during the installation and select OK.
      3. In the Welcome to the KeyStore Explorer Setup Wizard dialog box, select Next.
      4. In the Select Destination Location dialog box, select a folder to install the KeyStore Explorer and select Next.
      5. In the Select Start Menu Folder dialog box, to create shortcuts of the program in the default folder, select Next.
      6. In the Select Additional Tasks dialog box, select the additional tasks that you would like the setup to perform while installing the KeyStore Explorer and then select Next.
      7. In the Ready to Install dialog box, select Install.
      8. After the installation is complete, select Finish to exit.
    4. From your desktop, double-click the KeyStore Explorer icon and select Create a new KeyStore.
    5. In the New KeyStore Type dialog box, select JKS as a type of the new KeyStore and select OK.
      The new KeyStore appears as an additional Untitled tab.
    6. On the Untitled tab, right-click the screen and select Generate Key Pair.
    7. In the Generate Key Pair dialog box, select OK.
    8. In the Generate Key Pair Certificate dialog box, enter a name for the certificate.
    9. Generate a user certificate.
      Certificate typeSteps
      mTLS authentication for client certificate
      1. In the Generate Key Pair Certificate dialog box, select Add Extensions.

      2. Select the Plus icon. icon.

      3. In the Add Extension Type dialog box, select Extended Key Usage (EKU).

      4. In the Extended Key Usage Extension (EKU) dialog box, select Edit.

      5. In the Custom Extended Key Usage dialog box, select the Plus icon. icon.

      6. In the Add Custom Extended Key Usage dialog box, in the Object Identifier field, enter 1.3.6.1.5.5.7.3.2 clientAuth.

        Add Custom Extended Key Usage dialog box with Client Auth value selected.
      7. Select OK.
      Code signing certificate
      1. In the Generate Key Pair Certificate dialog box, select Add Extensions.
      2. In the Add Certificate Extensions dialog box, select Use Standard Template.
      3. In the Select a Standard Certificate dialog box, select Code Signing.
      4. Select OK.
      5. In the Add Certificate Extensions dialog box, select OK.
    10. In the Generate Key Pair Certificate dialog box, select the book icon against the Name field, and then do the following actions:
      1. In the Name dialog box, fill in the details of your organization.
      2. Select OK.
    11. In the Generate Key Pair Certificate dialog box, select OK.
    12. In the New Key Pair Entry Alias dialog box, enter an alias name in the Enter Alias field and select OK.
    13. In the New Key Pair Entry Password dialog box, do the following actions to generate a key pair:
      1. In the Enter New Password: field, enter a new password for the key pair.
      2. In the Confirm New Password: field, confirm the new password.
      3. Select OK.
      4. After the key pair is generated, select OK.
    14. On the Untitled tab, right-click this key, select View Details, and then select Certificate Chain Details.
    15. In the Certificate Details for Entry dialog box, select the PEM button.
    16. In the Certificate PEM dialog box, select Export.
    17. Select a location to save this file as a .pem file and select Save.
      Use this file to upload in the instance for creating a Certificate Authority (CA) chain record and user record.
    18. After the PEM is exported successfully, select OK and close all the tabs.
    19. On the Untitled tab, do the following actions to generate a .p12 file:
      1. Right-click the key entry, select Export, and then select Export Key Pair.
      2. In the Export Key Pair from KeyStore Entry dialog box, enter a password in the Password for Output File: field.
      3. In the Confirm Password field, confirm the password.
      4. Select Export.
        This file is saved as .p12 file and is used in Unattended Robot for authentication.
      5. After the key pair is exported successfully, in the Export Key Pair dialog box, select OK.

    What to do next

    Activate the certificate-based authentication plugin, if you have the admin role. It is a prerequisite for registering the certificates on the instance. For more information, see Activate the certificate-based authentication.

    Register user-generated client authentication certificate to make it available for authentication. For more information, see Register the CA certificate.

    Map the user-generated client authentication certificate to the user. For more information, see Map the PEM certificate to user.

    Install the generated client authentication and code signing certificate. For more information, see Install the user-generated certificates.

    Install the user-generated certificates

    Install the user generated (client authentication and code signing) certificates in your Windows machine, if you have the admin role.

    Before you begin

    Generate a client authentication and a code signing certificate. For more information, see Generate a user certificate from KeyStore Explorer.

    Activate the certificate-based authentication plugin, if you have the admin role. It is a prerequisite for registering the certificates on the instance. For more information, see Activate the certificate-based authentication.

    Register user-generated client authentication certificate to make it available for authentication. For more information, see Register the CA certificate.

    Map the user-generated client authentication certificate to the user. For more information, see Map the PEM certificate to user.

    Role required: admin

    About this task

    Important:
    The following procedure is for reference only. The installation steps may vary, depending on how certificates used within your organization are generated. Consult your IT administrator for more details.

    Procedure

    1. Double-click the certificate file to open the Certificate Import Wizard dialog box.
    2. From the Store Location list, select one of the following options:
      • If you’re installing a client authentication certificate, select Local Machine  to store a location for the certificate.
      • If you’re installing a code signing certificate, select Current User  to store a location for the certificate.
    3. Select Next.
    4. In the File to import dialog box, specify the file that you want to import in the File name field.
    5. Select Next.
    6. In the Private key protection dialog box, enter a password in the Password field for the private key.
    7. In the Import options section, select the Include all extended properties option.
    8. Select Next.
    9. In the Certificate Store dialog box, select the Automatically select the certificate store based on the type of certificate option, to enable the Windows machine to automatically select a certificate store.
    10. Select Next.
    11. In the Completing the Certificate Import Wizard dialog box, select Finish.
    12. In the Confirmation dialog box, select OK.

    What to do next

    Add the user to manage private keys. For more information, see Add user to manage private keys.

    Add user to manage private keys

    Add the user to manage private keys in your Windows machine, if you have the admin role, to complete the certificate generation.

    Before you begin

    Install the user-generated (client authentication and code signing) certificates in your Windows machine, if you have the admin role. For more information, see Install the user-generated certificates.

    Role required: admin

    Procedure

    1. In your Windows machine, from the Search menu, enter Manage computer certificates.
    2. In the Certificate Manager tool, navigate to Certificates - Local Computer > Personal > Certificates.
    3. In the Certificate Import Wizard dialog box, right-click the installed certificate and then navigate to All Tasks > Manage Private Keys.
    4. In the Permissions dialog box, select Add.
    5. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the Object names to select field, enter the user account that is used by the robot to log in to the machine.
    6. Select Check Names.
    7. Select the user account and then select OK.
    8. In the Permissions dialog box, select the added user, select the Read check box, and clear the Full control check box.
    9. Select Apply and then select OK.

    What to do next

    Select the installed certificate in the Certificate field to do either of the following actions: