Using your own security certificate

Info

This procedure, combined with proper Certificate Authority (internal or external) will fix NET::ERR_CERT_AUTHORITY_INVALID errors.

octoplant will create a self-signed certificate and private key automatically at runtime.

If you wish to use your own certificate for OIDC instead of the one created by octoplant, this is an optional procedure to do this. The description is most useful for the IT department or a domain manager.

Configuration in octoplant

To use your own certificate, create a 41388 entry in the server.ini file under the [Common] section as shown below:

[Common]
41388=https://{server name}

Use the name of your server in place of {server name} here and in the instructions below.

Valid 41388 entry examples:

Other valid base URIs for the entry 41388=https://{server name} could be similar to one of the following:

https://localhost:64021/octoplant/
https://octo.plant.localhost:123
https://octoplant.landau.amdt.com:64023
https://192.168.178.12:5555
https://[\:\:abcd\:1234\:dcba]\:9999
http://octo.ld.auvesy.de

Info

The host or domain name must contain ASCII characters only. If you have unicode characters you must replace them with their punycode representation.

Creating the SSL certificate

Install OpenSSL.
Create an empty text file named sssan.conf in the folder containing the OpenSSL.exe file.

The folder may vary depending on your OpenSSL distribution.

Open the sssan.conf file in Notepad or another plain text editor, and paste the following content:

[req]
default_bits = 4096
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn

[dn]
C = {insert country code}   ; Typically 2 characters, such as US or DE
O = {insert company name}   ; < 64 characters
CN = {insert_server_name}   ; < 64 characters

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = {insert_server_name}

Open a Command Prompt with administrator rights.
Navigate to the OpenSSL executable folder.
Set the environment variable OPENSSL_CONF. Enter the following command in the shell:

SET OPENSSL_CONF={full path to the OpenSSL executable folder}\openssl.cfg
Generate the SSL certificate with SAN. Enter the following command:
```
openssl.exe req -new -x509 -newkey rsa:4096 -sha256 -nodes -keyout "{insert cert location}\server.key" -days 3560 -out "{insert cert location}\cert.crt" -config "sssan.conf"
```
This will create two files in the chosen certificate directory:
- server.key: A private key file
- cert.crt: The certificate
Info

If you receive the following error message when creating the certificates:

Error making certificate request 74110000:error:06800097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:crypto\asn1\a_mbstr.c:106:maxsize=2

Check the three parameters in the [dn] section of your sssan.conf file for any trailing spaces after the values — especially for the C (country code) parameter - and remove them. Check the “C” parameter in particular.
```
[dn]
C = {insert country code}   ; Typically 2 characters, such as US or DE
O = {insert company name}   ; < 64 characters
CN = {insert_server_name}   ; < 64 characters
```
Keep the administrator shell open if you plan to install the certificate on the server.
Warning

Replacing the ApiCertificate file with a new certificate (whether self-signed or externally created) requires updates on EVERY octoplant client computer. Otherwise you won´t be able to access the clients. To avoid this, delete the knownhosts.txt file:
- on EVERY installed client in its client archive: \vdClientArchive\VD$A\Configuration\Local
- on the server computer in its server archive: \vdServerArchive\VD$A\Configuration\Local and in its client archive.
To replace the ApiCertificate file with a new certificate, rename the certificate files in the vdServerArchive\VD$A\configuration\Local directory:
- cert.crt to ApiCertificate (no extension)
- server.key to ApiPrivateKey (no extension)

The certificate creation process is now complete. You can:

Setup an Active Directory-managed certificate service
Distribute certificates to client computers by using group policy
Install the certificate on the server
or sign the certificate with your in-house certificate authority

Installing the certificate on the server

Open Microsoft Management Console with administrator rights by typing mmc<Enter> at the shell command line.
The Microsoft Management Console opens.
Create a new console snap-in:
1. Select File -> Add/Remove Snap-in….
  
  The Add or Remove Snap-ins dialog appears:
2. Select Certificates, and then the Add button.
  
  The Certificates snap-in wizard will appear:
3. Select the Computer account radio button then the Next> button.
  
  The Select Computer dialog will appear:
4. Select the Local computer radio button then the Finish button.
5. Select the OK button on the Add or Remove Snap-ins dialog.
Expand Certificates under the Console Root.
1. Right-click on Trusted Root Certification Authorities.
2. Select All Tasks.
3. Then select Import, as in the following illustration:
  
  The Certificate Import Wizard will appear:
Select the Next button.
Select the Browse button.

A Windows Explorer dialog will open:
1. Browse to the location where you saved the ApiCertificate above, then select it.
2. Select the Open button.
  
  The Certificate Import Wizard will display the file:
Select the Next button.

The next step is to verify the Certificate Store location:

Verify the certificate store is the Trusted Root Certification Authorities.
Select the Next button.

The wizard will display the results:
Verify the settings for this certificate.
Select the Finish button to complete the wizard.

The wizard will complete the import and display a dialog:
Select the OK button.

Verifying the certificate

Under Certificates, find and right-click on {server_name}:
Select the Open menu item.
The certificate information will be displayed:
Select the Details tab, then the Subject Alternative Name to see the DNS and IP information you entered for this certificate:
Select the OK button, and exit the console.