Issue
There is no fully detailed explanation of how to install an SSL Certificate from an External CA
Product Line
EcoStruxure Building Operation
Environment
- Building Operation Enterprise Server
- Building Operation Automation Server
Cause
When trying to install an SSL certificate from an external CA can fail
Resolution
- Configure a DNS name for the AS/ES (This prevents the certificate from being locked down to a specific IP.
- I.E. Configure an A record for "AS_Name".com
- Purchase SSL Cert through a 3rd party, or use your organization's internal CA/ root CA
- Download and install OpenSSL or can use OpenSSL installed with EBO
- Run Command Prompt as an administrator
- Use command "cd c:\program files\OpenSSL-Win64\bin
- Use OpenSSL to generate a CSR in order to obtain the certificate from the 3rd party
- openssl req -new -newkey rsa:2048 -nodes -keyout EcoStruxure.key -out EcoStruxure.csr
- Follow the prompts to fill out the information for the CSR
- Follow the prompts to fill out the information for the CSR
- openssl req -new -newkey rsa:2048 -nodes -keyout EcoStruxure.key -out EcoStruxure.csr
- Supply CSR, other certificate contact information, and a means of validating the request to the 3rd party CA
- Verify identity with CA (this may not be necessary if you use your company's internal CA/ root CA
- Receive host and intermediate CA certificates from 3rd party CA
- Make sure the CRT/CER files are in the C:\Program Files\OpenSSL-Win64\bin directory of Windows Explorer
- Use OpenSSL to convert the CRT or CER files into PEM files, as PEM is the only format EBO will accept
- openssl x509 -in certFileName.cer -outform PEM -out convertedCertFileName.pem
- openssl x509 -in certFileName.cer -outform PEM -out convertedCertFileName.pem
- Use OpenSSL to convert the private key file generated at step 6 from .key to .prv
- openssl rsa -inform pem -in filename.key -out filename.prv
- openssl rsa -inform pem -in filename.key -out filename.prv
- Run WorkStation as administrator
- In WorkStation, Control Panel > Certificates click on the server you are trying to add the cert to, either an AS or ES.
- Click on Manage Certificates > Add Existing
- Put in a name for the certificate (it can be anything you'd like)
- Click the ellipsis next to host, intermediate, and private to add the appropriate PEM files and click ok
- Select the newly added certificate from the drop-down and save the changes to activate
- Warm start the server
After this process is completed, verify that connection to WebStation via HTTPS shows a secure connection/trusted certificate.
