Install Certificates for Proficy Historian

About this task

This topic describes how to install root certificates and the certificates for core services, for use with the MTLS feature for Proficy Historian.

Installing Root Certificates

Important: When you install Historian, you are presented with three install types: Historian Single Server, Historian Mirror Primary Server, and Historian Distributed/Mirror Node. The MTLS protocol and certificate-based security is enabled by default for all install types. If you are installing a Historian Single Server or the Historian Mirror Primary Server, the security settings will be automatically configured by the installer. However, if you are installing a Historian Distributed/Mirror Node, you must configure the security settings manually after installation. Use the following steps to configure your security settings.
After installing the Historian Distributed/Mirror Node, you need to generate root certificate. Use the CreateRootCertificate.exe utility (in the MTLS folder in the Historian install folder) from a command prompt with Administrator privileges, as described in the following steps.

Procedure

  1. Right-click the Command Prompt, and select Run as Administrator.
  2. Navigate to the MTLS folder in the Historian installed path. For example: 
    cd C:\Program Files\Proficy\Proficy Historian\MTLS
  3. Run the CreateRootCertificate.exe command using the following arguments:
    Argument Description
    EnableMTLS Specifies whether MTLS is enabled. If you do not specify a value, MTLS feature is enabled by default (and set to 1 by default):

    • 0 – MTLS feature is disabled

    • 1 – MTLS feature is enabled

    For example, if you want to disable the certificate-based security, simply pass “0” to the tool.
    Password Specifies the word or phrase that you use to protect your certificate. The Password argument is mandatory, whereas Number of Days is optional. An example Passphrase is: P@55w0rd.
    The Number of Days

    Optional. Specifies the Number of Days for the root certificate to be valid. After the specified days, the certificate validity expires.

    If you do not pass any value for Number of Days, the setting defaults to 365 days. For example, if the Number of Days is 3650, the certificate is valid for 10 years from the generated date.

    Note:

    If you fail to pass any values to this command-line, the command will fail to create the root certificate.

    The following is an example of the command-line. In this example, MTLS is enabled, the passphrase is P@55w0rd, and the certificate will be valid for 3650 days (10 years):

    C:\Program Files\Proficy\Proficy Historian\MTLS CreateRootCertificate.exe 1 P@55w0rd 3650
  4. After excuting CreateRootCertificate.exe, locate the root keys generated in the same MTLS folder:
    • ica_key.pfx – Password protected certificate that contains the private key to sign the core services certificates.
    • ica_key.cer – Root certificate contains the public and different attributes of the certificate.

      The following figure shows examples of the root certificates.

      After generating the root certificate, this certificate needs to be added to the “Trusted Root Certification Authorities” certificate store on the Local Machine.

  5. Double-click the ica_key.cer file. The certificate dialog appears as shown in the following figure.
  6. Select Install Certificate to launch the Certificate Import Wizard.
  7. Click Next to continue. The Certificate Import Wizard appears as shown in the following figure.
  8. Select Local Machine and click Next to continue. The following screen appears.
  9. Select Place all certificates in the following store, and click Browse to display the list of stores from where Trusted Root Certification Authorities can be selected.
  10. Select the Trusted Root Certification Authorities, and click OK. The following dialog box appears.
  11. Click Next to continue. The Completing the Certificate Import Wizard appears.
  12. Click Finish to add the certificate to the Trusted Root Certification Authorities. When the import succeeds, the “The import was successful” message appears.

Installing Certificates for Core Services

For generating certificates for core service, run the MTLSCertificatesInstall.exe utility from the command prompt with Administrator privileges.

Procedure

  1. Launch from the command prompt with Administrator privileges. For example: 
    C:\Program Files\Proficy\Proficy Historian\MTLS\MTLSCertificatesInstall.exe P@55w0rd 3650

    The MTLSCertificatesInstall.exe utility takes the following arguments:

    Argument Description
    Password Specifies the word or phrase that you use to protect your certificate. The Password argument is mandatory, whereas Number of Days is optional. An example Passphrase is: P@55w0rd.
    Note: The same Password used for creating the root certificate needs to be used here. This is so that the Password will be same while passing the argument between executables. The MTLSCertificateInstall.exe utility uses this password to open the root certificate private key (ica_key.pfx) and sign the core services certificates.
    The Number of Days

    Optional. Specifies the Number of Days for the root certificate to be valid. After the specified days, the certificate validity expires.

    If you do not pass any value for Number of Days, the setting defaults to 365 days. For example, if the Number of Days is 3650, the certificate is valid for 10 years from the generated date.

    For each service, two certificates will be generated as shown in the following figure:

  2. Double-click each service .cer file as shown in the following figure, and check whether each generated certificate has a valid root certificate chain.
  3. After all required certificates are generated, restart the core Historian services. Without valid certificates, core services cannot establish connections to each other.