Use your own security certificate
Info
This procedure, combined with a proper Certificate Authority (internal or external), will resolve NET::ERR_CERT_AUTHORITY_INVALID errors.
By default, octoplant will automatically create a self-signed certificate and private key at runtime.
If you want to use your own certificate (e.g., for OIDC or for the WebClient) instead of the one created by octoplant, follow this optional procedure. This guide is intended for IT departments or domain administrators.
Basic steps
- Create a root CA private key and public certificate. Import the certificate as a Trusted Root certificate on the server and all clients using this server. This root CA can be used for multiple servers.
- For each server, create a private key and a certificate signing request (CSR).
- Use the root CA's private key to sign the public server certificate.
- Store the server's private key and signed certificate in the server archive.
Requirements
-
You need an environment with OpenSSL installed (recommended: OpenSSL 3.2.1 or later). To check your version, open a Command Shell and run:
You should see output similar to:
-
Create a local folder for your certificates, e.g.,
D:\certs.
Create your own Root CA
This process has three steps:
- Create a root key
- Create and self-sign the root certificate
- Distribute the certificate
Warning
The root CA key can sign any server certificate. Anyone with access to this key can create trusted certificates. Keep it safe and private.
-
Create a root CA key (
rootCA.key):You’ll be prompted for a passphrase, which you’ll need each time you sign a certificate. To create a key without a passphrase, remove the
-aes128option. -
Create the root certificate (rootCA.crt):
-
Distribute
rootCA.crtto every client that will connect to the server.
Create a Server Certificate Signing Request
-
Create the server's certificate key (
hostname.key):This file is the server’s secret. Do not share or distribute this file, only the server should have access to it.
-
Create a signing request (
hostname.csr):Follow the interactive prompts. The Common Name must match the exact hostname clients use to connect. Do not set a password.
-
(Optional) Verify the CSR:
Sign the server certificate
Use the CSR, root CA key, and root certificate to create the signed server certificate (hostname.crt):
openssl x509 -req -in D:\certs\hostname.csr -CA D:\certs\rootCA.crt -CAkey D:\certs\rootCA.key -CAcreateserial -out D:\certs\hostname.crt -days 3650 -sha256
You’ll be prompted for the root CA key passphrase. The resulting hostname.crt and hostname.key are needed by the octoplant server.
Verify the certificate
-
Under Certificates, right-click on
{server_name}.
-
Select Open.
-
Review the certificate information.
-
On the Details tab, select Subject Alternative Name to verify DNS and IP entries.
-
Select OK and exit the console.
Store the signed server certificate
Replace the following files in VD$A\Configuration\Local, located in the server archive:
ApiCertificateandCSCCertificate: with a copy ofD:\certs\rootCA.crtApiPrivateKeyandCSCPrivateKey: with copy ofD:\certs\hostname.key
Do not use file extensions.
Warning
After replacing these files, you must update EVERY octoplant client computer. Otherwise, clients will not be able to connect.
If D:\certs\rootCA.crt is installed as a trusted root authority on every client, and the server name used by the client matches the Common Name, no further steps are needed.
If not, delete the knownhosts.txt file:
- In the client archive of every client:
\vdClientArchive\VD$A\Configuration\Local - In the server archive of the server:
\vdServerArchive\VD$A\Configuration\Local
The certificate creation process is complete. Now you can:
- Setup an Active Directory-managed certificate service
- Distribute certificates to client computers by using group policy
Related topics