Scripted Actions Renew or Replace Automation Account Certificate

Scripted Actions Renew or Replace Automation Account Certificate

Nerdio Manager uses the automation accounts to perform the following functions:

  • Apply updates to the app service.

  • Execute scripted actions.

The scripted action automation account authenticates to Entra ID using Nerdio Manager’s primary app registration via certificate authentication. The certificates may need to be periodically renewed or replaced when expired.

Note: The nmw-automation-cert is for the automation account for applying updates to Nerdio Manager and should not be edited during this process.

The following steps are required to renew the certificates:

Generate a New Scripted Action Certificate in Key Vault

  1. In the Azure portal, navigate to Nerdio Manager’s key vault (for example, nmw-app-kv-*).

  2. In the Certificates tab, select the scripted action certificate named nmw-scripted-action-cert.

  3. Select + New Version.

  4. Enter the following information:

    • Duration: 120 months is recommended.

    • Other parameters: Most can be left as the default.

  5. Once you have entered all the desired information, select Create.

  6. Refresh the Version list and then select the newly generated current version.

  7. Select Download in CER format.

  8. Select Download in PFX/PEM format.

  9. Copy and note the displayed thumbprint values for use when uploading to the scripted action automation account.

Upload the CER Certificate to App Registration in Entra ID

  1. In the Entra ID portal, navigate to App registrations.

  2. Find the primary Nerdio Manager app registration (by default, it is named nerdio-nmw-app).

  3. Within the Certificates & Secrets tab on the app registration, navigate to the Certificates tab.

  4. Select Upload Certificate and browse to the downloaded .CER format file.

  5. Optionally, add a description.

    Tip: It is recommended that you use Nerdio Manager for Enterprise Scripted Action Certificate for <app_service_name>, where <app_service_name> is the resource name of Nerdio Manager’s app service.

  6. Select Add.

    The certificate is saved.

Apply a Password to the PFX File for Import to the Azure Automation Account

Note: Uploading the .PFX downloaded certificate file to the scripted action automation account requires applying a password to the PFX file. This can be done using the Certificates snap-in for MMC (no elevated privileges required).

  1. Launch MMC and add the Certificates snap-in (if prompted, select Current User).

  2. Navigate to the Certificates – Current User > Personal store.

  3. Under More Actions, select Import.

    • Select the downloaded PFX certificate and select Exportable.

    • No password is required.

    • Verify that the certificate is importing to the Personal store.

    • Complete the wizard to finish importing the certificate.

  4. Right click the newly imported certificate and select Export.

  5. Enter the following information:

    • Export the Private Key: Select Yes.

    • Include all Extended Properties: Select this option.

    • File Name: Type the desired file name.

      Note: There are no requirements for the file name.

    • Password: Type the file's password.

      Note: This is needed when importing the certificate to the scripted action automation account. There are no length or complexity requirements.

Upload the Certificate to the Azure Automation Account

  1. In the Azure portal, navigate to the scripted action automation account (for example, *-scripted-action-* or *-runbooks-*).

  2. Select the Certificates tab.

  3. Select the old or expired certificate, and then select the Delete.

  4. Once deleted, select + Add a certificate.

  5. Enter the following information:

    • Name: Type ScriptedActionRunAsCert.

      Note: The naming and capitalization must match.

    • Description: Optionally, type a description.

    • Password: Type the password.

    • Optionally, select the option to allow the certificate to be exportable.

      Note: This is useful if the scripted action automation account requires hybrid runbook workers.

  6. Once you have entered the desired information, complete the upload process.

  7. Verify that the certificate has uploaded.

  8. Navigate to the Connections tab on the Automation Account.

  9. Find and edit the existing connection (for example, nmw*).

  10. Update the Thumbprint copied on the certificate version.

  11. Select Save.


  1. Delete the imported certificate from the MMC Certificates Current User.

  2. Delete the downloaded files from the key vault.

  3. Delete the exported certificate from MMC.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Please sign in to leave a comment.