Index | Prev | Next

Installing Signing Requester using provisioning job step

Prerequisites:
  • Each target station is connected to a Niagara network.
  • A reciprocal Niagara network connection already exists between the target station and the Signing Service station, and also the station running the provisioning job step if it is a different station. If you have not yet established these reciprocal connections, there are other existing provisioning job steps that can help you with the setup.
  • You have installed and configured the Signing Service and profile(s) with a CA certificate.
Perform the following steps:
  1. To help bootstrap the Niagara network connections, some of the following provisioning steps may be run prior to or as part of the same provisioning job step:
  2. Set the credentials for the station connection. For more information, see “Install Certificate” in the Niagara Provisioning Guide.
  3. Enable bootstrap mode. It allows a temporary Supervisor-to-device connection using a certificate exemption for the device’s self-signed certificate. For more information, see “Enable Bootstrap Mode” in the Niagara Provisioning Guide.
  4. Install certificate, which can be used to copy a certificate from the User Trust Store of the Supervisor to each station.
    Copying the CA or Intermediate CA that signed the Supervisor’s Fox Server certificate means that no approval of the connection is required on the remote controller. If the CA has been signed by a well-known external CA that pre-exists in the System Trust Store, this step will not be required. Ensure the Common Name of the Supervisor’s Fox Certificate matches the IP/hostname used to connect back.
    For more information, see “Install Certificate” in the Niagara Provisioning Guide.
  5. Set up reciprocal connection, which establishes the Niagara network connection from the remote device back to the Supervisor. For more information, see “Set up Reciprocal Connection” in the Niagara Provisioning Guide.
    A single provisioning procedure is not explained here, as this may vary depending on what assets already exist on the remote station.
  6. Install Individual Signed Cert Job Step:
  7. Select from the Target Type To Perform Install drop-down list the individual component type that you want to target on the remote station.
    Image
    • To reduce the search scope for target components, you can use the Optional Remote Target Base Ord. Null will result in an entire station search.
    • Optionally, in Auto Cert Alias Format, you can override the alias for generated certificates or leave blank to accept the default.
    • For the Auto Cert Password property, it is recommended to enter a password to secure the signing certificates.
    • The Signing Service Onboarding Comment will be presented to the admin user who approves the process in the Signing Service’s Fox Transport. Consequently, enter a comment that identifies the reason as to why a signed certificate is required. If you leave the default value, an auto-generated comment with details about the requesting component will be used.
    • The Behavior If Config Already Exists property allows you to decide how the step should behave if the config already exists on a given target component: You can choose if you want to skip, overwrite, just invoke the onboard, or renew action on the existing config.
  8. Install Combined Signed Cert Job Step
  9. Select which of the three core services you want to associate with the signed certificate by setting them to true. This step is very similar to Install Individual Signed Cert Job Step with the exception that the default alias here is pre-populated with a suggested format.
    Image

Related Links

  • Installing a Signing Requester (Parent Topic)

    • Index | Prev | Next