How to apply Time and Attendance SSL certificate

Owned by Knowledge Assistant
Last updated: Dec 11, 2024
Description of Issue

Where to find Time and Attendance SSL Configuration notes in the Time and Attendance server installation environment and install new certificate.

Context
  • Time and Attendance
  • ExecuTime
  • SSL
Cause

The SSL certificate for Time and Attendance is expired or nearing expiration.  

Resolution

Note: Private/self-signed are not trusted by the Time and Attendance application java keystore, and public CA vendor certs are highly recommended.

Note: This certificate needs to be in PFX format with a private key password.

Note: Private key/Certificate passwords cannot contain the following special characters: <>"^;&'

Note: The SSL Configuration notes are found inside the Time and Attendance WildFly folder in for example, "C:\ET_prod\WildFly\ExecuTime_Config_Read_Me.txt"

  1. Select Windows Start
  2. Type File Explorer and select Enter
  3. Place the copy of the new certificate in a permanent location 
    1. The .pfx SSL, needs to be placed outside the Time and Attendance environment folder in a path that the Tyler Deployment Tool can use when upgrading Time and Attendance. (i.e. <Drive>:TylerInstalls\Cert\ETCert.pfx)
  4. Navigate to [DRIVE:\]{InstanceName}\WildFly\standalone\configuration
  5. Place the copy of the new certificate in this folder
  6. Rename the certificate to ETCert.pfx
  7. Open the standalone.xml file in Notepad++
  8. Search for <ssl> (it is right near the top)
  9. Inside the <ssl> tag you have a keystore tag, by default it looks like this:
    1. <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
  10. Change it to this:
    1. <keystore path="ETCert.pfx" relative-to="jboss.server.config.dir" keystore-password="KeystorePassword" alias="server" key-password="KeystorePassword" generate-self-signed-certificate-host="localhost"/>
    2. Note: Where 'ETCert.pfx' matches the name of the certificate and 'KeystorePassword' matches the password for the new certificate
  11. Restart the ExecuTime service - How to restart the ExecuTime Service - OnPrem
  12. Update the certificate for the IIS binding that Tyler Workflow uses - Update SSL Certificate in IIS
  13. Access the Time and Attendance environment URLs and verify the certificate has been updated
  14. Update certificate path and password in Tyler Deploy for Time and Attendance environments - How to update the SSL Certificate Path and SSL Password in Tyler Deploy for Time and Attendance environments 
    1. Note: Not updating the certificate in Tyler Deploy after new certificates have been applied to Time and Attendance environments will result in expired certificates being deployed on environments that receive upgrades. 
Additional Information

There are potential issues that can arise from replacing the SSL Certificate.

The following articles can be referenced after replacing the SSL Certificate on Time and Attendance if the issues arise only from the result of replacing the SSL Certificate on the application:

ExecuTime Root URL cannot be reached in the Tyler Workflow connection after replacing SSL Certificate

TouchTime clocks are receiving Server Unreachable after replacing the Time and Attendance certificate

Versions prior to v2023 will have a different path to the configuration folder