Create new JACE and Supervisor server certificates

You need a server certificate for each JACE and Supervisor in the network. All signed server certificates reside in the specific server’s Key Store.

There are multiple ways to create a server certificate.

This procedure creates a new 2048-bit server certificate on a JACE.

1. Launch Workbench and connect to the JACE station using Foxs.

   Workbench issues warnings if managing certificates via an unencrypted Fox connection.

2. Locate the JACE station in the Nav tree and double-click CertManagerService under Config->Services->PlatformServices.

   The Certificate Management view appears with the focus on the Key Store tab.

   
   
   

3. Check the title at the top of the Certificate Management view to ensure that you are viewing the JACE’s Key Store and not the Workbench Key Store (in this case “localhost”), then click .

   The Generate Self Signed Certificate dialog appears.

   
   
   

4. Fill in the fields and click OK.

   Common Name (CN) is the same as Distinguished Name and can be the same as the Alias. Follow these recommendations:

   • Create a name that identifies the JACE. You might use the JACE’s IP address or a location code. Do not use the same Common Name that you also used for the root or intermediate certificates.

   • The Common Name should match host name, which is how the server identifies itself. The IP address of the JACE or domain name may be an appropriate Alias and Common Name for a JACE. The Common Name becomes the Subject in the certificate.

   For more information, see About the Generate Self-Signed Certificate dialog.

   Certificate Usage defaults to Server Certificate and Key Size defaults to 2048. A larger key takes longer to generate, but improves security. If a third-party will sign the certificate, consult with your CA to determine the acceptable key size. Some CAs support a limited number of key sizes.

   A pop-up in the lower right corner indicates certificate creation success or failure, Workbench displays an information message, and adds the certificate to the Key Store.

   
   
   

5. Click OK to close the Info message.

   The length of time it takes to generate the certificate depends on the key size and the platform. When finished, you will have a certificate and key pair (public and private keys).

6. To view the certificate, double-click it or select it and click .

7. Confirm that the information is correct.

   To change a certificate, you must delete it and create a new certificate.

Create a CSR for each server certificate

For each server certificate to be signed by an intermediate certificate (or the root certificate if your installation is small and does not require intermediate certificates), a Certificate Signing Request (CSR) is required. This procedure is the same if you are using the default server certificate or a server certificate that you created.

1. While you are securely connected to the JACE and are viewing the station’s Key Store, select the certificate and click .

   The Certificate Request Info view appears.

2. Confirm that the certificate properties are correct.

3. To save the CSR, click OK, select the folder for server certificates on your computer, and click OK.

   The system uses the Alias as the certificate file name and the extension of: .csr. This file does not contain the certificate’s unique private key.

4. Copy the CSR to a flash drive or store it on the laptop Workbench computer for transport to the secure, standalone Workbench computer that contains the root and intermediate certificates for signing.

5. Copy the files into the certManagement folder.