Index | Prev | Next

Set up the root and intermediate certificates

The procedures in this topic explain how to create a CA (root) certificate and a single intermediate certificate. The Workbench steps to create root and intermediate certificates are functionally the same. The content of each certificate is what differentiates them from one another.

The root certificate is a special case because it may be self-signed or signed by a third-party CA. If you are serving as your own CA, your root certificate is always self-signed. You use it to sign your intermediate certificates (or your JACE server certificates if you are not using intermediate certificates) and export it with only its public key for importing into each client Trust Store.

The topic includes:

CautionTo ensure the security of your network, always perform these tasks using a computer that is disconnected from the internet and company network. It is recommended to maintain this computer in a secure physical location.

Create the root and intermediate certificates

  1. If it is not already displaying, click ToolsCertificate Management.

    The Workbench Certificate Management view appears with the focus on the Key Store tab.



  2. Check the title at the top of the Certificate Management view to ensure that you are viewing the Workbench Key Store and not a JACE Key Store.

    The Workbench and platform/station stores are separate.

    The tridium certificate shown above was automatically generated when you started Workbench. This is a default self-signed server certificate.

  3. Click

    The Generate Self Signed Certificate dialog appears.



  4. Fill in the fields. Alias should identify root and intermediate certificates by company, and geography or department respectively.

    Common Name (CN) is the same as Distinguished Name and can be the same as the Alias.

    The two-digit Country Code is required.

    For more information about each field, see About the Generate Self-Signed Certificate dialog.

  5. Select the CA Certificate property for Certificate Usage.

  6. Click OK.

    The system prompts you to create a password for the certificate’s private key.



    This password protects the private key and is required when using the certificate to sign other certificates. Create strong passwords.

  7. Type and confirm the private key password, and click OK.

  8. To view the certificate, double-click it or select it and click .



    The figure above is an example of an intermediate certificate. Notice the word “intermediate” is included in the Alias.

  9. Confirm that the information is correct.

    NoteTo change a certificate you just created, delete it and create a new certificate. Do not delete a certificate that is already in use.

  10. When you have created your root certificate, repeat this procedure to create any intermediate certificates.

Create a CSR for the intermediate certificate

A Certificate Signing Request (CSR) prepares the intermediate certificate to be signed by the root certificate. You don’t need to create a CSR for the root certificate unless it will be signed by a third-party Certificate Authority.

  1. Select the intermediate certificate you just created, and click

  2. The Certificate Request Info view appears.



  3. Confirm that the certificate properties are correct and click OK.

    Certificate Management prompts you for the private key password.



  4. Type the password you defined when you created the certificate and click OK.

  5. Select the folder for intermediate certificates you created in the planning step and click OK.

    The Alias for the certificate is used as the file name with the extension: .csr and the Certificate Manager prompts you to complete the CSR by clicking OK.



  6. To confirm completion, click OK.

  7. Repeat this procedure for each intermediate certificate.

    NoteIf an external Certificate Authority, such as VeriSign or Thawte, will sign your root certificate, follow the CSR submission procedure as required by the CA. They will verify that you are who you claim to be, that this certificate is for a server that your organization actually maintains, and other important information. They will then return the signed certificate to you.

Sign the intermediate certificate using the root certificate’s private key

This procedure uses the Workbench SSL tools and the root certificate you created to sign your intermediate certificates.

  1. In Workbench, select ToolsCertificate Signer Tool.

    The Certificate Signing dialog appears.



  2. Click the browser icon, locate, and open a CSR for an intermediate certificate you created.

    The Certificate Signing dialog expands to show the certificate details.



  3. Confirm that this is the intermediate certificate you created.

  4. Select the date on which the certificate becomes effective (Not Before) and the date after which it expires (Not After).

  5. Select the root certificate for CA Alias, type the root certificate’s private key password for CA Password, and click OK.

    Signing is done by the private key of the root certificate, which is why the password you created for the root certificate’s private key is required.

Repeat this procedure for each intermediate CA certificate.

Import the intermediate certificate back into the Key Store

The next step is to import the newly-signed certificate back into the Key Store to complete the process changing the shield icon from yellow (with an exclamation mark) to green (with a check mark).

  1. To view the Workbench Key Store click ToolsCertificate Management.

  2. Click , locate the intermediate certificate’s .pem file and click .

    The Certificate Manager asks you to supply and confirm the certificate’s password.



  3. Enter the intermediate certificate’s private key password, confirm the password, and click OK.

    If the Alias of the certificate you are importing is not the same as the Alias of the certificate you are replacing, the system prompts you for the Alias of the certificate to replace.

    NoteThe certificate you import back into the Workbench Key Store must match the original Alias. To view the contents of a certificate, select the certificate in the Key Store and click .

  4. If needed enter the Alias.

    The Certificate Import dialog appears.

  5. Confirm that this is the certificate you expect and click OK.

    The green shield icon appears next to the certificate Alias in the Key Store.

    NoteIf your root certificate was signed by an external CA, you will need to follow this same procedure to import it back into the Workbench Key Store.

    Repeat this procedure for each intermediate certificate.

Export the root and intermediate certificates

There are two reasons to export certificates:

  • To import the root certificate into the Trust Store of each client and browser.

  • To back up your root and intermediate certificates with their private keys.

  1. On the Key Store tab, select the certificate and click .

    The system displays the Certificate Export dialog.



  2. To back up a certificate with its private key, click Export the private key box and supply the private key password.

    In addition to the private key password, an encryption password can be used to provide double-password protection. The default encryption password is the same as the private key password.

  3. To use the additional protection, deselect Reuse password to encrypt private key under Encrypt exported private key and supply the additional encryption password.

  4. To export the certificate, click OK, locate the root or intermediate certManagement folder and click Save.

    The system reports that the export was successful.



  5. To complete the action, click OK.

Index | Prev | Next

Copyright © 2000-2016 Tridium Inc. All rights reserved.