Wildcard SSL from Ignition 8

I am attempting to generate a Wildcard SSL with an Ignition 8 Gateway and reuse the SSL key on other Gateways. Right now I have the cert generated and installed, but I am not sure what to move to other gateways. With 7.9 we were able to move just the ssl.key file, but that file does not exist on Ignition 8.

  1. After generating a cert with Ignition 8 is there a method that I can use to move or import that same cert to other Ignition 8 GWs? Can I do the same thing with Ignition 7.9?

  2. If the answer to #1 is no, how can I generate a wild card cert for multiple gateways (7.9 & 8.0)?

-Caleb

1 Like

Creating and using a new wildcard SSL cert for a No-IP domain using Ignition 8.0 +.

  1. Purchase the SSL Cert: Log into No-IP and purchase it.

  2. Create a folder to store files created or needed in.

  3. Create the CSR (Certificate Signing Request):
    a) Fill out the details
    Common Name: *.wildcard.com (or your domain)
    SANs: (Use only Static IPs…)
    I’m experimenting with these, I think the server static IPs can go here.
    Other data is self explanatory.

  4. Save the CSR in the folder and submit to No-IP.
    a) Server Type is Tomcat
    b) Paste the whole csr text into the form.
    c) Fill out the verification forms.

  5. Use verification email to verify the info.

  6. After receiving the Completed order SSL Certs, import the three files you are sent one at a time into the Ignition page.
    They are entered in the order in the email. (Server, Intermediate, Root)

  7. Ignition instantly switches to SSL enabled and your browser gives you a connection error.
    Check that the cert is for *.wildcard.com (your domain).

  8. Save the Cert from your computer.

  9. Install the Cert for your Customers:

For Ignition 8.0:
-If necessary run windows explorer as an admin.
-Copy the ssl.pfx to the webserver folder. In windows that should be here:
C:\Program Files\Inductive Automation\Ignition\webserver
-Turn on force Secure Redirect.
Config > Web Server > Force Secure Redirect

For Ignition 7.9
a) Convert the file if not done… Download and install Keystore Explorer (or figure out the java command line…)
-Open the ssl.pfx file. (Password is “ignition”)
-Save as ssl.key or some other new file.
-Convert to file type JKS (Java Keystore). (Again password is “ignition”)
-Rename the “ignition” entry to “tomcat”.
b) Move file to the webserver folder on the Ignition gateway.
-C:\Program Files\Inductive Automation\Ignition\webserver
-Rename the existing ssl.key file
-Move and rename the converted keystore to ssl.key
c) Restart the gateway or the Ignition service. (You may need to restart the entire computer.)
d) Change Gateway settings to use SSL.

4 Likes

This was so helpful. THANK YOU.

*I did this on several servers after getting my first one successfully registered with the wildcard cert. The other servers had certs already applied, but I wanted to consolidate.
After pasting in the ssl.pfx file, it was a bit glitchy. I had to save several times and go to the Cert "View Details" page a couple of times before it showed the *.yourdomain.com as the common name on the active cert.
**I think the "force redirect" might also cause the web server to reload the ssl.pfx file, so don't skip this step. You can always wait 1 minute and then disable that.