How to install Ignition 8 Self Signed Certificate on Ubuntu 18.04

Faisal.Shibli · January 17, 2020, 2:40pm

It is my first time working with SSL certificate. I am in the process of migrating from Ignition 7 to Ignition 8. Ignition 7 did not have SSL enabled while in Ignition 8 we are trying out the SSL. Due to the fact we are testing out so we are using Self signed certificate.

I created the self signed certificate through ignition 8 gateway (Networking → Webserver). My gateway is running on Windows Server 2016. Once the ssl was enabled, I went into the address bar and exported the certificate and saved it under C:\users\username.ignition\clientlauncher-data\certificate. I was able to successfully launch the visionclient launcher. Using the same methodology, I got the visionclient launcher to work from my laptop.

The same methodology did not work on Ubuntu 18.04. I was using chrome to export the certificate however in ubuntu chrome does not even allow me proceed to the website and returns with the following error(please see below).

I then used firefox and saved the certification’s …/.ignition/…/certificate folder. But when I launch the client launcher and add the gateway URL with 8043 port it says SSL certificate not found. I would really appreciate if you can help me out with this.

In a nutshell, I was able to get this to work on Windows based system however, I was unable to get this to work on Ubuntu.

Thanks

pturmel · January 17, 2020, 3:12pm

Place the certificate in ~~/etc/ssl/certs/~~ /usr/local/share/ca-certificates/ and then run sudo update-ca-certificates.

Faisal.Shibli · January 17, 2020, 3:18pm

Thank you for the quick response pturmel. I will try it out but just to confirm will this work with self signed certificate. Based on the folder location it appears that its looking for ca certified certificates.

Thanks!

pturmel · January 17, 2020, 3:43pm

If it doesn’t work, then I would recommend creating a self-signed CA and installing it like so. Then sign your Ignition cert with the private CA.

Faisal.Shibli · January 17, 2020, 4:05pm

Hi pturmel,

I tried your way but unforunately, it did not work.

I have been using the self signed certificate that I created via Ignition gateway. We do not have internal CA but I would imagine any windows server can act as a internal CA.

Thank you again for your help.

pturmel · January 17, 2020, 4:32pm

OpenSSL can create a self-signed certificate that has the CA flag turned on. Anyone can make a private CA. These two commands will make a password-protected private key and then a CA cert good for ten years:

openssl genrsa -aes256 -out MyCA.key 4096
openssl req -new -batch \
  -subj "C=US,ST=MyState,L=MyCity,O=MyCompany,OU=IT,CN=CertificateAuthority" \
  -set_serial 1 -x509 -days 3650 -key MyCA.key -out MyCA.crt

Use the above CA to make a two-year cert for your server like so:

openssl genrsa -out SomeIgnitionServer.key 2048
openssl req -new -batch \
  -subj "C=US,ST=MyState,L=MyCity,O=MyCompany,OU=Servers,CN=CertificateAuthority" \
  -key SomeIgnitionServer.key -out SomeIgnitionServer.req
openssl x509 -req -in SomeIgnitionServer.req -out SomeIgnitionServer.crt \
  -outform PEM -set_serial 2 -days 730 -CA MyCA.crt -CAkey MyCA.key

Repeat the latter section as needed for new servers, incrementing the serial number each time.

Uhm, no. At its core, a CA is a specially-created certificate that can sign other certificates. It's not a server, per se, though publicly-trusted CA holders generally provide a web interface to request signed certs.

Faisal.Shibli · January 20, 2020, 3:53pm

Thank you for the detailed instruction.

Just so I understand correctly, that instead of using the self signed certificate that I created from Ignition gateway, NETWORKING --> Webserver tab. I will be using openssl to create a self signed certificate.

For "CN" i will use the URL that will get me to the gateway server minus the port number.
I may have few more questions as I work through your steps.