Overview (Signing Service)

The Signing Service was added in Niagara 4.13, a service to which components within running stations may securely submit Certificate Signing Requests (CSR). This is performed to obtain signed X509 certificates and to send additional requests for renewal of these certificates before they expire. The Signing Service fulfills these requests by returning certificates signed by a designated Certificate Authority (CA).

Use:

Any component that requires a signed certificate to fulfill its functionality may be suitable to utilize the Signing Service. This could be a component that uses a certificate as way of authentication with an external service or protocol. It could also be a component that accepts connections from outside clients and uses a server certificate to prove identity. For a list of components that can currently utilize the Signing Service, see “Supported components” below.

Benefits:

Using the Signing Service removes the effort of manually generating individual X509 certificates specific for each component that requires one, and the additional task of manually signing that certificate with a CA.
Once components are onboarded with the Signing Service, they will automatically request new certificates prior to renewal to save time on having to repeatedly recommission a fleet of controllers.
It promotes good security practice of shorter certificate expiry periods.

This service is tailored to the need for stations to generate and renew one of many types of certificate on a rolling basis.

Overview (Signing Service)

Related Links