Tag Archives: Tridium

Adding a SSL Certificate to a WorkPlace N4 Web Supervisor

So as a follow up to my post Adding a SSL Certificate to a Vykon AX Web Supervisor the way WorkPlace N4 web supervisors imports a certificate is slightly different. Mainly the key needs to be in a unencrypted RSA format which was tripping me up. So if you need to do this first read that prior post and then the only real change is for exporting out your key use this command:

openssl pkcs12 -in CertExport.pfx -nocerts -nodes -passin pass:YourPassword | openssl rsa -out key.pem

You will find the key will be exported and have a “RSA” tag in the headers now. Follow the same instructions from the other post to make your pem file (key, cert, intermediate, root) and it should import into a N4 supervisor just fine.

Adding a SSL Certificate to a Vykon AX Web Supervisor

https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcQziKwbi7GguEuqEdyf-zXwY7wcYsKgKJZhO6SxUhQGsfAxK8RR_Q

A couple years ago I helps setup a SSL certificate for a AX Supervisor, a product that is used as a web interface front end to a automation product called a JACE, usually.  The software was installed on a Microsoft Server 2008 R2 system and was serving up the information through a B2B VPN and the other company, even though the traffic was “internal”, requested a SSL.  No biggie I thought, I’ve installed SSLs many times.  So I installed the certificate on the server but the AX software didn’t see it.  I went into the software’s platform and into the Certificate Management section to import a certificate.  It only accepted pem files so I converted my Windows certificate over but it didn’t like that either.  So I started reading the only guide I could find on the subject titled “NiagaraAX SSL Connectivity Guide”.  Ironically it has page after page of how a SSL works and how to generate a self signed certificate then export it out and import it onto all of the computers accessing the system but nothing on importing a existing certificate as a pem file.  Long story short the way a AX Supervisor wants the pem is to have it include the key, the certificate, the intermediate certificate, and the root certificate in that order all in one file.  So for the 9 people in the universe that will actually need to do this sometime in their life and can’t figure it out here is what I had to do.

First I downloaded the Windows 32 bit binaries of OpenSSL ( from https://slproweb.com/products/Win32OpenSSL.html ) and installed them.  I copied my pfx file that I exported out of my server (with key/password) and put it in the same directory as openssl.exe (the bin folder usually).  I opened up a command prompt, navigated to the bin directory, and ran the first command to get my private key:

openssl pkcs12 -in CertExport.pfx -nocerts -nodes -out key.pem

Then another command to export out my certificate:

openssl pkcs12 -in CertExport.pfx -nokeys -out cert.pem

I now needed my intermediate and root certificates which since I was using GoDaddy were downloadable from their site ( https://certs.godaddy.com/repository ).  I imagine its the same for any other certificate authority.  I created a new text file and first took the contents of the key.pem file (minus the headers keeping the begin and end tags) then followed it with the contents of my cert.pem file (again no headers) then, and this is important, followed those with the intermediate then the root.  I saved this as MYFullCert.pem and that imported right in without a issue. I was then able to use that for both the Platform SSL certificate and for the Stations WebService certificate.  Rebooted the server and everything looked good.

Note: This applies to a AX 3.7. I have found the certificate will not import into 3.8 using the same instructions. What does work however is importing it into 3.7 then exporting it out. The exported file appears to have a extra line added which does work on 3.8.