This is something I spend a bit of time on, so I figured I’d write up a how-to. At least now the next time I forget how to do this, I will be able to find the breadcrumbs… xkcd.com/979/
I have a UCC SSL cert that I bought for other functions, and added a SAN (basically, another name for the cert to cover) for demo.mydomain.com. I used my Apache web server to create the CSR, as it is the primary site that I wish to secure; however, now that I have the signed cert, I want to use it to cover my Ignition demo server as well. This is how I got it to work:
Collect the files you’ll need. I have a private key file that was generated by OpenSSL called primaryhost.mydomain.com.key, a cert chain file from GoDaddy (where I bought my cert) called gd_bundle-g2-g1.crt, and a signed certificate file called 65f135a6546c423e.crt (name changed to protect the mostly innocent, but a 16-char hex filename). These may be different if you bought your cert somewhere else.
Install the required software. You will need the JDK ( indy.fulgan.com/SSL/ ). I like to add the locations of the binaries to my PATH variable, so I can invoke them from wherever. It’s wise to do the following somewhere besides your Ignition directory, so that when you screw something up, you can start over with minimal crying. The following steps are done in a cmd prompt in the location of your key files.
Create a PKCS12 keystore containing your private key, certificate, and key chain. Using OpenSSL:
openssl pkcs12 -export -in 65f135a6546c423e.crt -inkey primaryhost.mydomain.com.key -certfile gd_bundle-g2-g1.crt -out mycerts.pfx -name "tomcat"
Enter ignition as the password.
- Create a new Java keystore to hold the to-be-imported keys.
keytool -genkey -alias tomcat -keystore ssl.key
Password is ignition
Answer the questions; “first and last name” should match the FQDN for the server (i.e. demo.mydomain.com)
- Empty the new keystore to make room for the imported keys
keytool -delete -alias tomcat -keystore ssl.key
- Import the keys.
keytool -v -alias tomcat -importkeystore -srckeystore mycerts.pfx -srcstoretype PKCS12 -destkeystore ssl.key -deststoretype JKS -destalias tomcat
Provide the passwords ( ignition ) when prompted.
- Check the keys.
keytool -list -v -keystore ssl.key -alias tomcat
You should see a listing of several keys; my key had a cert chain length of 4, meaning that I had listings for Certificate through Certificate. Yours might be different, but verify that the alias is tomcat and the certificates say something about your certificate and your cert issuer. In my case, I also verified that I have a listing for
DNSName: demo.mydomain.com ]
- Move this new keystore into the Ignition directory (mine is c:\program files\inductive automation\ignition\webserver). [size=150]Make sure you have a backup copy of the original ssl.key before you do this.[/size] Restart the gateway from the gateway control utility.
Presto! You have a properly-secured gateway on a subject alternative name. This could also be useful for a wildcard cert, if you’re fancy enough to have one of those. The key issue I was having earlier was getting that alias “tomcat” into the PKCS12 file, as keytool won’t create an alias unless one already exists. I found this ( sslshopper.com/article-most … jn554906de , along with the Ignition manual entry on certificates.
Please let me know if you find any errors, and I will correct them.