Hey All,
I just went through the process of automating Ignition SSL management with Certify The Web as my ACME client. I ran into some hiccups that didn't seem to be addressed anywhere so I'm posting my solution here.
First off, I essentially just followed the IA article on this (Let's Encrypt Guide for Ignition | Inductive Automation). This isn't a rewrite of that article but a highlight of how the solution differs. Now assuming you have everything to the point of being able to generate a certificate with Certify The Web, there is one key difference with your certificate and the one generated in the article. Certify The Web completely skips over the inclusion of a keystore alias. This is fine if you are manually providing the cert on the Gateway Config page but won't work with Ignition's hot reload system.
Certify doesn't appear to have a native method to address this, so instead I used the Deployment Tasks to implement the Creating the Key Store method from the article. The machine I was using already happened to have OpenSSL installed, but you may need to either include its PATH for PowerShell if you have it or install if you don't. I used two export tasks to create both the "Private Key" and the "Full Certificate Chain (Excluding Key)" files. Then I used a PowerShell task referencing the following script,
# Backup the old cert
Remove-Item "C:\Program Files\Inductive Automation\Ignition\webserver\ssl.pfx.bk"
Rename-Item -Path "C:\Program Files\Inductive Automation\Ignition\webserver\ssl.pfx" -NewName "ssl.pfx.bk"
# Create the new keystore w/ Ignition specific password/alias.
# Requires export of:
# - Private Key
# - Full Cert without Private Key
$temp_keystore = "C:\Program Files\Inductive Automation\Ignition\webserver\ssl.pfx"
$priv_key = "C:\SomeFolder\PrivateKey.key"
$cert_bundle = "C:\SomeFolder\FullCertwoKey.pem"
$keystore_pwd = "ignition"
$keystore_alias = "ignition"
openssl pkcs12 -export `
-out $temp_keystore `
-inkey $priv_key `
-in $cert_bundle `
-name $keystore_alias `
-passout pass:$keystore_pwd
# Reload Ignition keystore
Set-Location -Path "C:\Program Files\Inductive Automation\Ignition"
gwcmd --reloadks
And that should do it. The script handles the main features that are listed in the article but are not immediately replicable with Certify. It creates a backup of a the most recent certificate in your $IGNITION\webserver folder (make sure a backup file already exists there before running, otherwise the script will error out), then bundles the keystore with default alias and password (be sure to verify the file locations for your given setup), and then reloads the Gateway's keystore. As a bonus, this only associates the Ignition specific version of the certificate with Ignition. The "generic" certificate is still held by Certify and can be used elsewhere.
Best regards,
Grant