To set up a chain of trust you begin by creating a root CA certificate and a server certificate for each JACE and Supervisor. You may also require several intermediate CA certificates. For example, if your company has multiple locations, you may want an intermediate certificate for each location.
-
The first step is to create the root and intermediate certificates. If you use intermediate certificates, you probably have more than one. The illustrations show only one intermCACert for the sake of simplicity.
The Workbench stores are separate from each platform/station stores. You access the Workbench SSL tools by using a menu option. Click .
For the procedure, see Create the root and intermediate certificates.
-
The next step is to create one or more supervisor certificates. You access the platform/JACE stores by double-clicking CertManagerService under PlatformServices in the station Nav tree.
For the procedure, see Create new JACE and Supervisor server certificates.
-
Finally, you create a certificate for each JACE. The tridium certificates you see in the Supervisor and JACE Key Stores are the default self-signed certificates that are created at initial station startup. Although the certificates are all named “tridium,” each is unique to the platform on which it was created. In their unsigned, default state these certificates do not provide server authentication, but they do provide encryption.
This example demonstrates creating server certificates for a Supervisor and JACE using 2048-bit keys, which are more secure than the 1024-bit keys of the default certificates.
To save space, the remainder of the illustrations do not show the tridium server certificate. After the new certificates are signed and imported, you will select them for each station. At that time you can delete the tridium certificates.