Using an External Certificate Authority

Following are the three main steps required to get an SSL certificate from an external Certificate Authority (CA) and use it with CIMPLICITY. Follow these steps when requesting the initial certificate and when renewing the certificate when it expires.

  1. Generate the Certificate Signing Request (CSR)
  2. Send the CSR to the CA and get the resulting server SSL certificate
  3. Process the SSL certificate for use in CIMPLICITY

To manually execute the batch files Generate_CSR.bat and process_server_cert.bat, the following parameters must be known:

  • InstallationPath - The path where CIMPLICITY is installed.
  • ConfigServicePortNumber , UABrowseServicePortNumber, and WsmServicePortNumber - The port numbers where micro services are running (WSM is the webspace-session-manager).
  • KeyPassPhraseFilePath(optional) - The file path that contains a password that protects the private key (without the .crt/.key extension).
  • ServerCertificateName - The name of the server certificate file (without the .crt/.key extension)..
    Note: The default value of ServerCertificateName is server_cert. To use a different file name, also update the variables ssl_certificate and ssl_certificate_key in nginx.conf file with the new values and restart the CIMPLICITYNGINX service.
  • PfxPassPhrase - The password to protect the generated .pfx server certificate.

To regenerate the SSL certificate, perform the following steps:

  1. Generate CSR
    1. In the command prompt, navigate to the path where Generate_CSR.bat is saved.
    2. Enter the following command in the command prompt. 
      Generate_CSR.bat <InstallationPath> <CSRCertificateName> <PassPhraseFilePath(optional)>
      Example: Generate_CSR.bat ???c:\Program Files (x86)\Proficy CIMPLICITY??? server_cert
    3. Optional: To secure the private key with a password, add a password to a text file and save the file. Provide the file path in the command.
      Example: Generate_CSR.bat ???c:\Program Files (x86)\Proficy CIMPLICITY??? server_cert ???c:\Passwords\password.txt???
    4. If the certificate signing request (.crt) file or the private key (.key) file already exists in the specified folder, you are notified and prompted to delete the files. Select Y to delete the existing files and create new files. Select N to exit.
    5. Enter the following details:

      Enter the required details Country Name (2 letter code) [AU]:

      State or Province Name (full name) [Some-State]:

      Locality Name (eg, city) []:

      Organization Name (eg, company) [Internet Widgits Pty Ltd]:

      Organizational Unit Name (eg, section) []:

      Common Name (e.g. server FQDN or YOUR name) []:

      Email Address []:

      Please enter the following 'extra' attributes to be sent with your certificate request

      A challenge password []:

      An optional company name []:

    6. Press Enter. The certificate signing request (.crt) file and the private key (.key) file are generated in the ScadaConfigPki folder in the installation path. (Example: C:\Program Files (x86)\Proficy\Proficy CIMPLICITY\ScadaConfigPki).
  2. Obtain SSL Certificate
    1. Send the certificate signing request (.csr) file to an external Certificate Authority (CA), such as VeriSign or DigiCert, and request for a CA certificate.
    2. Save the certificate in the ScadaConfigPki folder.
  3. Process SSL certificate
    1. In the command prompt, navigate to the path where process_server_cert.bat is saved.
    2. Enter the following command in the command prompt. 
      process_server_cert.bat <InstallationPath> <CrtFileName> <ConfigServicePortNumber> <UABrowseServicePortNumber>  <KeyPassPhraseFilePath> <PfxPassPhrase> <WsmServicePortNumber>
      Example: process_server_cert.bat ???c:\Program Files (x86)\Proficy CIMPLICITY??? server_cert 4955 4956 c:\passwords\password.txt secret-pass-phrase 4957
      Where:
      • <CrtFileName> is the name of the crt/key files without the .crt or .key extensions. <KeyPassPhraseFilePath> contains the pass phrase protected the .key file. This is the same pass phrase file used in the Generate_CSR.bat command.
      • <PfxPassPhrase> is the pass phrase that will be used to protect the generated .pfx file. This is the pass phrase itself, not a path to a pass phrase file.
      • <KeyPassPhraseFilePath> contains the pass phrase protected the .key file. This is the same pass phrase file used in the Generate_CSR.bat command.
  4. Verify SSL certificate
    1. Launch Scada Web Config from CIMPLICITY Workbench.
    2. Select , and then select Certificate.
    3. Verify the CertificateInformation. It should match with the information provided at Step 1.
      process_server_cert.bat <InstallationPath> <CrtFileName> <ConfigServicePortNumber> <UABrowseServicePortNumber> <KeyPassPhraseFilePath> <PfxPassPhrase> <WsmServicePortNumber>
    Note: If the certificate is not updated, you may have to perform the following steps and re-launch Scada Web Config:
    • Delete browser cache.
    • Restart the following:
      • CIMPLICITY Configuration Microservice
      • OPC UA Browser Microservice
      • Webspace Session Manager Microservice
      • CIMPLICITY NGINX Server
    • Update the proxy settings to exclude the server on which the SSL certificate is hosted.