Index | Prev | Next

Certificate stores

Each platform and its station share the same set of certificate stores. A certificate store is where the system and standard Internet browsers keep store certificates.
Figure 5.   Certificate Management stores
Image

The screen captures show the User Key Store tab for three sets of certificate stores, which you can access from Workbench.

  1. Clicking Tools > Certificate Management opens the Workbench Certificate Management view.
  2. Four stores populate each Certificate Management view, each with a tab:
    • The User Key Store tab contains the platform/station’s server certificate.
    • Each System Trust Store contains the root CA certificates (with only the public key of each) for the most common external certificate authorities.
    • The User Trust Store tab contains the root CA certificate (with only its public key) of the company when it serves as its own CA.
    • The Allowed Hosts tab contains the self-signed certificates that require human verification of their authenticity.

    Icons identify the state of each certificate in the tabs of the Certificate Management view.

    • A green shield with a check (tick) mark (Image) identifies signed certificates and approved exceptions (self-signed certificates that have been accepted).
    • A yellow shield with an exclamation mark (Image) identifies a self-signed certificate. A server certificate is one of these until it gets signed. The root CA certificate is forever one of these. There is no higher authority to sign it!
    • A red shield with a white X (Image) identifies a rejected exception.
  3. Expanding the localhost Platform node and double-clicking Certificate Management opens the localhost (PC) Certificate Management view. These stores belong to a PC’s platform and station.
  4. Expanding a controller Platform and double-clicking Certificate Management opens the controller’s Certificate Management view. These stores belong to a controller platform and station.

The called-out information above explains how to access the Certificate Management stores from each Workbench and Platform node. The same stores for each platform/station are also available under the Station node in the Nav tree by expanding Station > Config > Services > Platform Services, and double-clicking CertManagerService.

To access the same stores using the web UI, click Controller (System) Setup > Remote Devices > Certificate Management.

The goal for each platform/station is for its server certificate, which is visible in the User Key Store, to be signed (green shield) by either a root CA certificate in the System Trust Store or User Trust Store, and for its Allowed Hosts tab to be empty.

To demonstrate all functions, this chapter assumes you are serving as your own CA (Certificate Authority). The steps require administrative privileges and use Workbench to create a root CA certificate, export server certificates, sign server certificate signing requests, import them back into the User Key Store, and import the root CA certificate into the station’s User Trust Store.

Getting all your PKI certificates configured up front should make life easier when you start configuring network devices. The Niagara Station Security Guide provides more detailed information about how PKI certificates work.

Related Links

  • Secure communication certificate setup (Parent Topic)

    • Index | Prev | Next