Q: My Web Service has signed certificates, however my browser still shows a warning on connection to the station?

A: Ensure that the CA certificate that signed your Web Service certificate exists in the Trusted Certificate Authorities store on your browser’s host OS. Also confirm that the certificate’s Subject Alternative Name extension contains a value that matches the host/domain name or IP address as it appears in the browser address bar.

Q: I have an existing self-signed certificate for my component/service. May I use it with the Signing Service to get it properly signed?

A: Yes, if you haven’t already, import the existing certificate into the User Key Store, and then set the alias and correct password in the Cert To Sign And Apply property of your component’s Signed Cert Config.

Q: My signing requester has an existing signed certificate, however instead of renewal, I wish to replace the existing cert with a newly generated certificate. Alternatively, I successfully onboarded a signed certificate, but now I have made configuration changes (to the profile or requester) and wish to replace the existing certificate with a newly generated one with the new settings applied. How do I do this?

A: You may simply change the alias/password for the certificate to sign and re-invoke the Onboard action. If you wish to retain the same alias, do the following:

Q: My signed certificates are due to expire. What do I need to do?

A: Components onboarded with the Signing Service will automatically renew the certificates (by default) when 8% of the certificate’s valid period is remaining. The Fox/Web Services will restart and begin using the renewed certificate immediately. Other components may use the new certificate when a current connection is broken and restored. It would be advisable to check that the CA certificate on the relevant Signing Profile has not expired prior to renewal.

Q: My CA certificate is due to expire. What do I need to do?

A: If your new CA certificate will use the same alias as before, simply import the new CA into the User Key Store on which the Signing Service is running. If the alias has changed, you will additionally need to change the CA alias property in the relevant Signing Profiles.

If the CA has been used to sign the certificate for the Fox Service on a Supervisor prior to upgrade, install the new CA into the User Trust Store on all remote stations that make Niagara Network connections back to the Supervisor to achieve a seamless transition. A Supervisor Provisioning Job would be ideal in this situation. Additionally, install to the User Trust Store of Workbench installations that connect to that Supervisor to avoid connection warnings.

If the CA has been used to sign the certificate for the Web Service on a Supervisor prior to upgrade, install the new CA into the Trusted Certificate Authorities store on the host OS of any browsers that connect to ensure the connection is trusted by the browser.