Troubleshooting Historian Server Certificates

Be aware of the following when working with certificates in Historian:

  • When you install Historian, you are presented with three install types: Historian Single Server, Historian Mirror Primary Server, and Historian Distributed/Mirror Node. The MTLS protocol and certificate-based security is enabled by default for all install types. If you are installing a Historian Single Server or the Historian Mirror Primary Server, the security settings will be automatically configured by the installer. However, if you are installing a Historian Distributed/Mirror Node, you must configure the security settings manually after installation.
  • You will need to follow the same procedure for installing certificates when certificates expire in the future.
  • Prior to adding any new root certificate to the “Trusted Root Certification Authorities” store, it’s a better practice to remove an existing root certificate from the store first.
  • After the root certificates are added to the “Trusted Root Certification Authorities,” all core services need to be restarted.
  • If the MTLS authentication fails due to a mismatch in certificates, improperly generated certificates, expired certificates, or any issue related certificates, it will not cause the core Historian Services to stop. These services will be in running state, but the trusted connections among these services will fail. In this scenario, sometimes client tools will not be able to connect to the services. Sometimes client tools connect to Client Manager but cannot do any operations on Historian server. They simply show the “Not Connected” error.
  • After trusted connections among core Historian services succeed, they will be in the same trusted state until these services are stopped or restarted.
  • It is strongly recommended to provide same expiration date (in the Number of days field) for the root and all other core services certificates.
  • If you forget to install the certificates, some of your core Historian services may not start after you complete your Historian install or upgrade.
  • If you do not provide the same root certificate password while creating other services certificates, the MTLSCertificatesInstaller.exe tool returns a "Wrong Password" error.
  • To see any specific errors that may be caused by certificate-based security, you need to enable full debugging by adding the “FF” hexadecimal value to the DEBUGMODE registry as shown in the following figure.