Index | Prev | Next

Creating a root CA certificate

A company’s root CA certificate is a self-signed certificate. Companies that serve as their own CA use its private key to sign their intermediate, server, client and code-signing certificates. The root CA certificate resides in the Workbench Certificate Management User Key Store with both its public and private keys. You export it with only its public key so that you can import it into each platform/station’s User Trust Store.
Prerequisites: You have the required authority to create certificates. You are working in Workbench on a computer that is dedicated to certificate management, is not on the Internet or the company’s LAN and is physically secure in a vault or other secure location.
  1. Access the Workbench Certificate Management view by clicking Tools > Certificate Management.
    The Certificate Management view opens to the User Key Store.
    Image

    This key store contains a default, self-signed tridium certificate. As of Niagara 4.13, the key store also contains the self-signed default certificate that is mainly used for recovery purposes and cannot be deleted.

  2. Confirm that you opened the Workbench User Key Store and click the New button at the bottom of the view.
     NOTE: If you opened the platform/station Certificate Management view by mistake, you can still create a root CA certificate, but it will not be available to sign the other certificates. 
    The Generate Self Signed Certificate window opens.
    Image

    All certificates begin as self-signed certificates. Only the root CA certificate remains self-signed because it sits at the top of the certificate chain.

  3. Fill in the form and click OK.
    • Use Alias to identify this as a root certificate.
    • The Common Name(CN) becomes the Subject (also known as the Distinguished Name). For a root CA certificate, the Common Name(CN) may be the same as the Alias.
    • Organization should be the name of the company.
    • Although Locality and State/Province are not required and are arbitrary, leaving them blank generates a warning message.
    • The two-character Country Code is required and must be a known value, such as: US, IN, CA, FR, DE, ES, etc. (refer to the ISO CODE column at countrycode.org).
    • Based on the Not Before and Not After dates, certificate validity defaults to a year. A longer period is not recommended and not tolerated by some browsers. Changing to a new certificate annually or even within a year makes it more likely that your certificate contains the latest cryptographic standards, and reduces the number of old, neglected certificates that can be stolen and re-used for phishing and drive-by malware attacks.
    • Key Size defaults to 2048. A larger key improves security and does not significantly affect communication time. The only impact it has is to lengthen the time it takes to create the certificate initially.
    • For Certificate Usage, select CA.
    The Private Key Password window opens.
  4. Enter and confirm a strong password, and click OK.
    The system informs you that the certificate has been submitted. Soon the certificate appears behind the Info message in the User Key Store table.
  5. To continue, click OK.
    The root CA certificate now exists with both its keys in the Workbench User Key Store. From this location you can use it to sign other certificates (intermediate, server, client and code-signing).
     NOTE: Since this certificate is not signed by any higher certificate authority, it is always identified with an exclamation icon (Image). As the self-signed certificate, it cannot be trusted. This is why you must protect the computer (and thumb drive) on which it resides by keeping the computer off the Internet, corporate LAN, and most securely, in a locked physical location. 

    For this certificate to authenticate the certificates it signs, you now need to export it with only its public key and import it into the User Trust Store of each client computer and platform/station.

  6. Select the new root CA certificate and click Export.
    The Certificate Export window opens.
    Image
     CAUTION: Do not click the check box to Export the private key.The only time you click this check box is when you are backing up the certificate to another location for safe keeping. 
  7. To create the root CA certificate that will reside in each client’s User Trust Store, click OK.
    The Certificate Export window opens with the file ready to export as a .pem file.
    Image

    Notice the Current Path. This is where the system stores the exported certificate.

  8. Navigate to a rootcert folder or location on a thumb drive, and click Save.
    The system reports that it exported the certificate successfully.
  9. To complete the export, click OK.
When exported with only its public key, the root CA certificate may be freely distributed. You are ready to manually import the root CA certificate with only its public key into the User Trust Store of the computer, usually a Supervisor (or engineering) computer, from which to either manually, or with a provisioning job, install this certificate in the User Trust Store of all remote platforms/stations.

Related Links

  • Secure communication certificate setup (Parent Topic)

    • Index | Prev | Next