Inductive Automation
Are there any plans on fixing the annual certificate failures?
Seams to me that if the server can generate a new certificate, it should have the authority to delete or add a new certification, if it notices the old one has expired.
Other users like myself
What does the 'brain trust' think?
Are you talking about self-signed TLS certificates, OPC UA certificates, or something else?
Yesterday, I had a clients plant shut down due to OPC UA certificate expiration. Could not find the directory to delete the offending certificate. Tech support pointed me the in the correct direction.
But, if there are multiple certificate locations: Maybe you could publish a Tech-Note that shows a table of error codes and .the corresponding directories to delete, to get the server back up and running.
I’ll ask them if there’s a KB article for it.
In 8.1 there’s a UI in the gateway for managing and regenerating the certificates, including the option to set a custom expiration date when doing so.
Well corporate has gotten involved. They don't like that the system went down - and may go down every 3 years...
Not sure what is going to come of it. We have a Zoom tomorrow.
It is a vision project. Even the client on the server couldn't operate the plant. They had to shut down for about 24 hours and wait for me to drive down there (air gaped network). If you have any information about avoiding this issue in the future, I would like to present that in the meeting.
Upgrade. Generate a new certificate using the new UI and specify a 50 year expiration or something else really long.
Generate your own certificate with OpenSSL (or similar tools) with a long expiration.
You can generate a certificate for 10,000 days from now. I don't know if vision will have a problem with that, but web browsers won't except a certificate with more than 3 years.
O yea, Apple is 1 year.
OPC/UA isn't a browser.
Point taken. So Vision will survive if I give the UA certificate a 2050 date! I would like to be able to report that in tomorrow’s meeting. @Kevin.Herron
Vision will survive as long as you're not using SSL/TLS on the Ignition Gateway, which has its own certificate that will expire and need renewal on its own timeline.
Vision is not affected by the OPC UA certificates in any way, other than that if your OPC UA certs expire and the connection goes down you might see bad data overlays on Vision screens.
I always recommend adding "Check certificate [cert name] on server [server name]" to the monthly or yearly administration calendar. IT probably has such a task list for verifying that all the users still need access and old accounts are cleared out and security patches are applied or whatever else was identified by the SOC2 compliance audit...