Generating a CA certificate and signed Server certificate using the Certificate Wizard

This procedure describes how to use the Certificate Wizard workflow to complete a series of certificate-related steps for a platform and/or station.

You have the required authority to create certificates. You are working in Workbench on a computer that is dedicated to certificate management, is not on the Internet or the company’s LAN and is physically secure in a vault or other secure location. You have a thumb drive ready to which to copy the root CA certificate for safe keeping.

  1. In Workbench, open a localhost platform connection and in the Application Director view click Stop to stop any station that is running.
  2. In the Nav tree, right-click on the platform and click Certificate Wizard.
    The Certificate Wizard window opens displaying options for certificate creation and installation.

  3. In addition to the default selections, configure two optional properties.
    • To export the root CA certificate with its private key, click on Export the CA certificate. It is a good idea to back up this certificate for archival storage in a secure location.
    • To configure the TLS version, Set minimum TLS level for all services > TLSv1.2.
      Note:

      TLSv1.0 and TLSv1.1 are still supported for backwards compatibility, but it is recommended to use TLSv1.2 and higher.

    The Configure CA Certificate window opens for you to enter the root CA certificate information.

  4. In the Configure CA Certificate window, fill in the form, and click OK.
  5. When prompted for a Private Key Password, enter and confirm a strong password (minimum 10 characters, include at least one of each: a number, lowercase, and uppercase character), and click OK. For example, Private123%.
    The software creates the new root CA certificate in the background. When complete, the wizard opens another Configure CA Certificate window. This one is for the server certificate.

  6. In the Configure Server Certificate window, fill in the form, and click OK.

    This process generates a server certificate that is ready to be signed. The platform will never be a client, but the station will routinely function as a one, and, since the platform and the station share the same trust store, only one server certificate is required. You will need to run the wizard again when this certificate expires.

    Server certificate generation occurs in the background. When complete the wizard opens the Certificate Signing window.

    Note: The server certificate that is about to be signed is already selected. You cannot change the selection. Also, the root CA certificate and the CA password are already identified. There is no need to make other selections or entries.
  7. In the Certificate Signing window, review the details (similar to the example shown) and click OK to continue.
    Since we did not choose to export the CSR, the wizard does not display it but proceeds directly to import the signed CSR into the Supervisor station’s User Key Store and the new root CA certificate into its User Trust Store. When complete the wizard opens the Certificate Export window.

  8. In the Certificate Export window, in addition to the default selection, click the optional check box: Export the private key, enter the private key password, and click OK.
    By default, the wizard exports the root CA certificate with only its public key. This is appropriate for distributing the root CA certificate, which must be imported to the User Trust Store of every platform/station throughout the enterprise, any PC that hosts an instance of the Workbench, and any browser used to monitor and control the system. You export a root CA certificate with its private key only for the purpose of backing it up to a secure location.
    The wizard opens the Certificate Export window.

  9. Use the folder icon to locate the storage location for the exported root CA certificate in the localhost file system, such as an added subfolder in your certManagement folder (as shown) or a thumb drive, and click Save.
    Within the certManagement folder, you can create subfolders for storing certificates and certificate signing requests (CSRs). In the above example, the RootCerts folder is a suitable location for the root CA certificate with its public key, while the Vault folder simulates a secure storage location for the root CA certificate with its private key, which should be kept under lock and key.
    On completion, the wizard acknowledges that the export was successful.
  10. To continue, click OK.
    The Select Station window opens.
  11. In the Select Station window, click the drop-down list of all stations in the Platform Daemon Home, and select the station to Set the TLS levels on, and click OK.
    The wizard displays a progress summary as you complete the various steps.

  12. When prompted with the message, “All operations are complete”, click OK and Finish.
    The wizard modifies the station’s .bog file in the Platform Daemon Home.
The Certificate Wizard successfully generated the new server certificate for the Supervisor PC, and the new root CA certificate for use in signing other server certificates. Those certificates are exported to the certManagment folder in the local file system for subsequent use. Additionally, the wizard set the TLS levels on the selected station to the selected value: TLSv1.2.