Skip to content

Using your own security certificate

Info

This procedure, combined with proper Certificate Authority (internal or external) will fix NET::ERR_CERT_AUTHORITY_INVALID errors.

octoplant will create a self-signed certificate and private key automatically at run time.

If you wish to use your own certificate for OIDC instead of the one created by octoplant, this is an optional procedure to do this. The description is most useful for the IT department or a domain manager.

Configuration in octoplant

To use your own certificate, create a 41388 entry in the server.ini file under the [Common] section as shown below:

[Common]
41388=https://{server name}

Use the name of your server in place of {server name} here and in the instructions below.

Valid 41388 entry examples:

Other valid base URIs for the entry 41388=https://{server name} could be similar to one of the following:

  • https://localhost:64021/octoplant/
  • https://octo.plant.localhost:123
  • https://octoplant.landau.auvesy-mdt.com:64023
  • https://192.168.178.12:5555
  • https://[\:\:abcd\:1234\:dcba]\:9999
  • http://octo.ld.auvesy.de

Info

The host or domain name must contain ASCII characters only. If you have unicode characters you must replace them with their punycode representation.

Creating the SSL certificate

  1. Install OpenSSL.

  2. Create an empty text file named sssan.conf in the OpenSSL executable folder.

    The executable folder will be the one with openssl.exe in it. It may vary depending on the OpenSSL distribution.

  3. Edit the new sssan.conf file with Notepad or similar plain text editor. Enter the following text into that file and save it.

    [req]
default_bits = 4096
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn

[dn]
C = {insert country code}
O = {insert company name}
CN = {insert_server_name}

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = {insert_server_name}

  4. Open a CMD shell with administrator rights.

  5. Change the shell to the OpenSSL executable folder.

  6. Set the environment property OPENSSL_CONF. Enter the following in the shell:

    SET OPENSSL_CONF={full path to the OpenSSL executable folder}\openssl.cfg

  7. To generate an SSL certificate with SAN, enter the following in the shell:

    openssl.exe req -new -x509 -newkey rsa:4096 -sha256 -nodes -keyout "{insert cert location}\server.key" -days 3560 -out "{insert cert location}\cert.crt" -config "sssan.conf"

    This will create two files in the chosen certificate directory:

    • server.key: A private key file
    • cert.crt: The certificate

  8. Leave the administrator shell open if you will install the certificate on the server.

  9. Move to the configuration local directory

  10. Rename the following files:

    • cert.crt to ApiCertificate (no extension)
    • server.key to ApiPrivateKey (no extension)

The certificate creation process is complete. Now you can:

Installing the certificate on the server

  1. Open Microsoft Management Console with administrator rights by typing mmc<Enter> at the shell command line.

  2. The Microsoft Management Console appears is opened.

    Figure: MMC

  3. Create a new console snap-in:

    1. Select File -> Add/Remove Snap-in….

      The Add or Remove Snap-ins dialog appears:

      Figure: OIDC-Cert-Step-1

    2. Select Certificates, and then the Add button.

      The Certificates snap-in wizard will appear:

      Figure: OIDC-Cert-Step-2

    3. Select the Computer account radio button then the Next> button.

      The Select Computer dialog will appear:

      Figure: OIDC-Cert-Step-3

    4. Select the Local computer radio button then the Finish button.

    5. Select the OK button on the Add or Remove Snap-ins dialog.

  4. Expand Certificates under the Console Root.

    1. Right-click on Trusted Root Certification Authorities.
    2. Select All Tasks.

    3. Then select Import, as in the following illustration:

      Figure: OIDC-Cert-Step-4

      The Certificate Import Wizard will appear:

      Figure: OIDC-Cert-Step-5

  5. Select the Next button.

  6. Select the Browse button.

    A Windows Explorer dialog will open:

    Figure: OIDC-Cert-Step-6

    1. Browse to the location where you saved the ApiCertificate above, then select it.

    2. Select the Open button.

      The Certificate Import Wizard will display the file:

      Figure: OIDC-Cert-Step-7

  7. Select the Next button.

    The next step is to verify the Certificate Store location:

    Figure: OIDC-Cert-Step-8

    Verify the certificate store is the Trusted Root Certification Authorities.

  8. Select the Next button.

    The wizard will display the results:

    Figure: OIDC-Cert-Step-9

  9. Verify the settings for this certificate.

  10. Select the Finish button to complete the wizard.

    The wizard will complete the import and display a dialog:

    Figure: OIDC-Cert-Step-10

  11. Select the OK button.

Verifying the certificate

  1. Under Certificates, find and right-click on {server_name}:

    Figure: OIDC-Cert-Step-11

  2. Select the Open menu item.

  3. The certificate information will be displayed:

    Figure: OIDC-Cert-Step-12

  4. Select the Details tab, then the Subject Alternative Name to see the DNS and IP information you entered for this certificate:

    Figure: OIDC-Cert-Step-13

  5. Select the OK button, and exit the console.