I may need to get the customer to contact Tech Support. This is the email trail of them trying to install an SSL key using the instructions from Inductive Automation.
I have no other way but to handle the ssl key but to use keytool, we’ve tried with microsoft certificate store. I’ll have to generate a key again, with all the procedure below - but we’ll use our internal cert authority to register. Thus, will it be okay to place JDK on the D drive again? Would you like to work on this together today, or can I go ahead?
How to Install a Real SSL Certificate in Ignition
When you turn on SSL in Ignition, the web browser uses what is called a “self-signed” certificate. This gives you the encryption benefits of SSL, but it isn’t a ‘real’ certificate. This is why browser will display nasty warnings to users that they shouldn’t trust your website.
We are not able to ship a real certificate with Ignition because SSL certificates have to be purchased individually from a certificate authority.
This guide will show you how to purchase and install a real SSL certificate from a certificate authority and install it in Ignition.
- Install the JDK.
There are some command-line tools you’ll need to use to create a certificate request and to install your certificate. These tools come with the Java Development Kit (JDK). Most likely you only have the Java Runtime Environment installed. Go to http://java.oracle.com and click on Java SE. Download the Java SE 6 JDK and install it.
- Open a command prompt
Open a command prompt (Start > Run > cmd) and change directory into your JDK tools directory.
[tt]cd C:\Program Files\Java\jdk1.6.0_24\bin[/tt]
- Create your keystore
SSL certificates for Ignition are stored in a file called a keystore. You’ll need to create your own keystore file with a certificate in it before you can purchase the SSL certificate.
Enter the following command:
[tt]keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore C:\ssl.key[/tt]
(you can put the file wherever you want for now but it should be called “ssl.key”)
2. It will prompt you to enter a password. Use the password: [tt]ignition[/tt]
3. You will then be prompted for your “first and last name”. Do not actually use your first and last name. This value must be one of these for your Ignition Gateway:
- Fully Qualified Domain Name (e.g. “secure.yourdomain.com”)
- Public IP address (e.g. “184.108.40.206”)
- Full Server Name of your internal server (e.g. “scadaserver”)
- Private IP address (e.g. “192.168.0.1”)
It will then prompt you for information about your company. Input all data accurately, as the certificate authority will need to verify this information.
Lastly, it will ask you for the password for alias . Press RETURN to use the same password as the keystore file.
- Generate a Certificate Signing Request
At this point, you have a keystore file named “ssl.key” at the root of your C:\ drive (or wherever you specified it to be in step 3a )
In your command prompt window, enter this command:
[tt]keytool -certreq -alias tomcat -file C:\csr.txt -keystore C:\ssl.key[/tt]
It will prompt you for the keystore password (ignition)
You now have a certificate request file at [tt]C:\csr.txt[/tt]
5) Buy the SSL certificate
Now you need to get your SSL certificate signed by a certificate authority. When you go to a certificate authority (Verisign, Thawte, Comodo, etc), they’ll ask for your CSR, which is the csr.txt file that you created in step 4. Typically they’ll ask you to paste your CSR into their web form. Open csr.txt in notepad, and copy-and-paste it into the certificate authority’s form.
If prompted what software generated the CSR, choose Tomcat or Java
After the certificate authority has processed your payment and reviewed your CSR, they will send you your certificate via email.
6) Install the SSL certificate
After your SSL certificate has been emailed to you, you will want to follow the instructions provided for installing the certificate into a Java keystore. Your certificate authority will provide these instructions. The following is the procedure for installing a Comodo SSL certificate, provided as an example:
Extract the certificate files that were emailed to you, in this example they were extracted to C:\cert
Install the root certificate with the following command:
[tt]keytool -import -trustcacerts -alias root -file C:\cert\AddTrustExternalCARoot.crt -keystore C:\ssl.key[/tt]
3. Install the COMODO intermediate certificate:
[tt]keytool -import -trustcacerts -alias INTER -file C:\cert\COMODOHigh-AssuranceSecureServerCA.crt -keystore C:\ssl.key[/tt]
4. Install your server’s certificate:
[tt]keytool -import -trustcacerts -alias tomcat -file C:\cert\192_168_1_7.crt -keystore C:\ssl.key[/tt]
7) Replace Ignition’s default keystore
You now have a keystore file at C:\ssl.key that holds your SSL certificate. The certificate alias is “tomcat” and the password is “ignition”. You can now replace the keystore file that ships with Ignition with your file. Make a backup of the file at
[tt]C:\Program Files\Inductive Automation\Ignition\tomcat\ssl.key[/tt]
and replace it with your keystore file. You will need to restart the Ignition service after replacing this file.
Make sure your SSL port is allowed through your server’s firewall. The default SSL port is 8043, and can be changed to the standard SSL port (443) through the Gateway Control Utilitiy (GCU).
From: Hugo Shebbeare
Sent: Friday, August 31, 2018 8:58 AM
To: Christine Laprise; Eric Lapointe; Pascal Vallette
Subject: Re: Issue with Dcpspeview server
To Ian ( please fwd Christine):
Just fyi, because we’re crossing paths a bit here - Late yesterday, since asked the other week, I restarted work on the SSL key and used Java jdk keytool on c, so I think you should be okay to continue with using the new D drive install (jre).
We’re in a bit of a catch 22 because we have to use the keytool to replace the ignition default ssl key with ours, and the latest export csr I handed over to Éric yesterday with corrections to org unit, etc details.
I am afraid it was me who broken the server yesterday after another key attempt, but it looks okay now thanks to you. However, we are still pending ssl key replacement.
One step of the cert import did work, so far, at least, which is the root (or our *.agropur.com cert)
C:\Program Files\Java\jdk-10.0.2\bin>keytool -import -trustcacerts -alias root -file C:\Users\admhushebbe\Documents\rootexport.cer -keystore C:\temp\sslfromjdk.key
Enter keystore password:
Owner: CN=*.agropur.com, O=Agropur Cooperative, L=Granby, ST=Quebec, C=CA
Issuer: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 6f167293433651da6fad29147404a6a
Valid from: Mon Dec 19 19:00:00 EST 2016 until: Thu Mar 19 08:00:00 EDT 2020
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
… certificate imported successfully.
Look forward to resolving this together with you
438 498 5832