Signing a certificate

Signing a certificate is the job of a CA (Certificate Authority). A variety of certificate-signing software tools are available. You are not required to use the framework and Workbench to sign certificates. This procedure documents how to sign certificates. It applies to companies who serve as their own CA. In a large installation, you use your root CA certificate to sign any intermediate certificates and the intermediate certificates to sign your server and code-signing certificates. In a small installation, you may use your root CA certificate to sign all certificates.

  • You are working in Workbench on a physically and electronically secure PC that is never connected to the Internet, and is used exclusively to sign certificates.

  • The root CA or intermediate certificate that will do the signing is in the Workbench User Key Store.

  • You know the password of the CA signing certificate (root or intermediate) that will sign the certificate(s).

  • You have one or more CSR files (signing requests) ready to sign.

Note: To ensure network security, always sign certificates using Workbench on a computer that is disconnected from the Internet and from the company LAN. Maintain this computer in a physically secure location.
  1. In Workbench on your physically and electronically secure (and never connected to the Internet) PC that is used exclusively to sign certificates, click Tools > Certificate Signer Tool.
    The Certificate Signing window opens.

  2. Click the folder icon, locate, and open the CSR for the certificate you wish to sign.
    The Certificate Signing window expands to show certificate details.

  3. Confirm that this is the correct CSR by checking the Subject.
  4. Select the date on which the certificate becomes effective (Not Before) and the date after which it expires (Not After).
  5. For CA Alias, use the drop-down list to select the certificate (root or intermediate) whose private key will sign this certificate.
  6. Supply the CA certificate’s password and click OK.
    Signing is done by the private key of the root or intermediate certificate.

    The same file folder, C:/Users/[username]/Niagara4.x/certManagement, displays with the file name (extension: .pem) filled in for you.

    You may modify this file structure to aid in the management of these files.

  7. To complete the signing, click Save.
  8. Copy the signed certificate .pem file to a thumb drive and import it back into the User Key Store of the computer that created the certificate and generated the CSR.
You can repeat this procedure for each CSR.
Note: In Niagara there is added support for bulk certificate signing. For more details refer to the “Signing multiple certificates” topic.