Issue
There is no information on how to create and prepare signed certificates for import in Building Operation. PEM file format has to be used. If another format is used or the certificate files are not correct, you get a message like this when importing SAXParseException: Reference to invalid character number in line X column Y
Product Line
EcoStruxure Building Operation
Environment
Certificates
Cause
There is no information on how to create signed certificates in Building Operation.
Resolution
- Complete a Certificate Request and then request a certificate in PEM format in a .pfx file "container".
- Extract the CA certificate, Intermediate certificate, and private key using the following OpenSSL commands.
- After executing each command, enter the password if prompted.
- Make sure you reference the right pfx file. Below filename.pfx is used as an example
- Make sure you enter the commands manually and do not copy/paste from this article
- Download OpenSSL tool here or use OpenSSL installed with EBO
- openssl pkcs12 -in filename.pfx -out host.pem -nodes -clcerts -nokeys
- openssl pkcs12 -in filename.pfx -out inter.pem -nodes -cacerts -nokeys
- openssl pkcs12 -in filename.pfx -out privkey.prv -nodes -nocerts
- The three files produced must then be parsed of any characters that aren't in the part of the certificate/key and in PEM format (or PRV if private key) - basically all the characters before "-----Begin Certificate-----" or after "-----End Certificate-----". Ensure each file ends with a blank line and that a blank line separates each section. This can be done in any text editor; however, this example uses Notepad++ with the "Show All Characters" button selected.
- Import the files into SBO using the certificate manager in the Control panel.
File type conversion
If the host and intermediate certificate are in crt, cer or der format, you can convert them to pem format using the following method/command:
openssl x509 -outform der -in certificate.cer -out certificate.der
openssl x509 -inform der -in certificate.der -out certificate.pem
Replace "certificate.cer" with the name of your file
Determining certificate file type
To determine which filetype a given certificate file has (PEM, DER, or pkcs12/pfx), you can use the following commands (replace "cert.crt" with the name of your file). A valid output will confirm the file type.
PEM
openssl x509 -in cert.crt -text
DER
openssl x509 -in cert.crt -inform DER -text
pkcs12/pfx
openssl pkcs12 -in cert.crt -info