Creating a server certificate

Each Supervisor PC, engineering laptop, remote controller, and remote station requires a server certificate for those times when it functions as a server. If it is important to you for each certificate to identify the Locality and State, use this procedure to make a new certificate for each server.

You have the required authority to create and manage certificates. You are either running Workbench on your PC or laptop, or are connected to the remote controller on which you are creating the certificate.
Tip: While not a requirement when creating a remote server certificate, as a best practice, you should disconnect both your computer and the controller platform from the Internet and company LAN, then connect your Workbench computer to the platform using a crossover cable.
  1. To open the certificate stores do one of the following in the Nav tree:
    • Expand Platform and double-click Certificate Management.
    • Expand Station > Config > Services > PlatformServices and double-click CertManagerService.
    Both steps open the same stores. Which to use depends on how you are connected to the platform/station.
  2. Confirm that the title at the top of the view identifies the host for which you are creating the server certificate. For a remote controller, this is the IP address.
  3. Click the New button at the bottom of the view.
    The Generate Self Signed Certificate window opens.

  4. Give the certificate at least an Alias, Common Name(CN), Organization, Locality, State/Province, and Country Code.

    • Use Alias to identify this as a server certificate, including in the name the company, geography or department.

    • Common Name(CN) should be the same as the host name, which is how a server identifies itself. The common name becomes the Subject (also known as the Distinguished Name). The IP address of a controller or its Fully Qualified Domain Name (FQDN) are appropriate Alias and Common Names for a remote controller or Supervisor station.

      An FQDN is the Hostname plus the Primary Dns Suffix. For a computer, you can see this name in My Computer Properties: “Full computer name.” For a controller, there is no good place to see this name, but it would be something like: mycontroller.mydomain.com or mycontroller.mydomain.net.

      Note: Do not use the same name for Common Name (CN) of a server certificate that you use for a root or intermediate certificate’s Common Name (CN).

    • Although Locality and State/Province are not required and are arbitrary, leaving them blank generates a warning message. Third-party CAs may not sign certificates without these properties defined.

    • The two-character Country Code is required and must be a known value, such as: US, IN, CA, FR, DE, ES, etc. (refer to the ISO CODE column at countrycode.org).

    • Not Before and Not After define the period of validity for the certificate.

    • Key Size defaults to 2048. A larger key improves security and does not significantly affect communication time. The only impact it has is to lengthen the time it takes to create the certificate initially.

      If a third-party will sign the certificate, consult with your CA (Certificate Authority) to determine the acceptable key size. Some CAs support a limited number of key sizes.

    • For Certificate Usage, select Server for a platform/station.

    • Alternate Server Name specifies an alternate name for the server, which is used to construct a Subject Alternative Name. For example, use the server's IP address if the CN is the hostname, and vice versa.

    The OK button activates when all required information is provided.
  5. To create the certificate, click OK.
    The Private Key Password window opens.

  6. Enter a strong password for a unique password or select the Use global certificate password check box.
    Your password must be at least 10 characters long. At least one character must be a digit; one must be lower case; and one must be upper case.
    The system submits the certificate for processing in the background. A pop-up window in the lower right of your screen advises you regarding the time it may take to generate the certificate. The length of time it takes depends on the key size and the platform’s processing capability. When created, the certificate appears as a row in the User Key Store table.
  7. To view the certificate from the platform/station’s User Key Store, double-click it or select it and click View.
    Notice that the Issuer and Subject are the same and the certificate is identified with a yellow shield icon (). These factors indicate that this is a self-signed certificate.
  8. Confirm that the information is correct.
    Note: To change a certificate you just created, delete it and create a new certificate. Do not delete a certificate that is already in use.
Repeat this procedure to create additional certificates.