Index | Prev | Next

Using Signing Service on remote station

The following section describes the Signing Service high level workflow on a remote station.
Prerequisites:
  • The Niagara 4.13 and later module version: signingService-rt
  • The Signing Service is pre-configured on at least one (other) remote station.
  • Each remote station intending to use the Signing Service is required to have an active Niagara Network connection to the Supervisor station that hosts the service.
Perform the following steps:
  1. Install a requesting component on the station (see “Installing a Signing Requester”).
    Image
  2. Expand the Signing Requester configuration and select the name of the Supervisor that contains the service in the Signing Service station property.
  3. You can now invoke the Onboard action and enter a comment to help the admin user on the Supervisor approve your request.
    If successful, the status will change to Approval In Progress. The Signing Requester will now communicate with the Signing Service Transport and generate a session token.
  4. On the Supervisor, an admin user navigates to the Session Token Store for the Fox Signing Transport and inspects the request metadata and comment, then decides to approve or reject the request.
    Once an admin user of the Signing Service has approved your session token, the requesting component will generate and store a CSR locally, and submit this to the Signing Service. It will receive back a signed certificate, which is then stored in the main station’s Certificate Management > User Key Store. The system will attempt to automatically renew prior to expiry.
    Image
     NOTE: The exact steps may differ with future transport implementations. See specific component documentation for these. 

Renewal will be automatically attempted prior to the certificate’s expiration according to the Advance Renewal Percent value. This defaults to 8% so that an annual certificate will automatically attempt to renew approximately one month in advance of expiration. The existing certificate will now be replaced in the User Key Store. Approval is not required for renewal as the existing certificate is used as authentication with the service. However, if renewal fails before the existing certificate expires, you will need to manually repeat the Onboard action for the component. You can also manually invoke the Renew action to force an attempt.

An alarm will be generated on the local station for certificates that have failed a renewal attempt. The component will continue to schedule new renewal attempts in the case of a failure according to the Retry Period.

Some possibly causes for onboarding failure include:

  • The request was rejected by the admin user on the Signing Service.
  • The request was not approved in time.
  • The CSR failed validation due to an incorrect value.
  • A configuration error in the Signing Profile, for example, an incorrect CA password.
  • Signing Service Station property was not populated.
  • Communications failure with the Supervisor. Is the Niagara network connection functioning?
  • A certificate alias conflict, whereby an active certificate with matching alias exists in the local key store during onboarding. In this instance, the certificate will be overwritten only if it has expired, and the password for the certificate matches. When using the Individual Signing Cert Config or Combined Signing Cert Config components, the existing certificate will be overwritten if the password matches, even if the current certificate has not expired.

Related Links

  • Signing Service high level workflow (Parent Topic)

    • Index | Prev | Next