Signing multiple certificates

Niagara 4.10 and later supports bulk certificate signing. This procedure describes how to sign multiple certificates in one operation.

  • You are working in Workbench on a physically and electronically secure PC that is never connected to the Internet, and is used exclusively to sign certificates.

  • The root CA or intermediate certificate that will do the signing is in the Workbench Certificate Management User Key Store.

  • You know the password of the CA signing certificate (root or intermediate) that will sign the certificate(s).

  • You have one or more server certificate CSR files (signing requests) ready to sign.

  • The “bulkCertSigner” license feature is enabled for your platform.

Signing certificates is the job of a CA (Certificate Authority). A variety of certificate-signing software tools are available. You are not required to use the framework and Workbench to sign certificates. For companies who serve as their own CA, for example in a large installation, you may use your root CA certificate to sign any intermediate certificates and the intermediate certificates to sign your server and code-signing certificates. While in a small installation, you may use your root CA certificate to sign all certificates.

Note: To ensure network security, always sign certificates using Workbench on a computer that is disconnected from the Internet and from the company LAN. Maintain this computer in a physically secure location.
  1. In Workbench click Tools > Certificate Signer Multiple Selection Tool.
    The tool opens a window to select one or more certificate signing requests (CSRs), as shown.

  2. In the local file system navigate to the folder containing the CSRs, select one or more, and click Open.
    The tool window displays common properties above the table listing the selected CSRs.

    The common properties are:

    • CA Alias: CA certificate in the Workbench User Key Store to use for signing

    • CA Password: certificate password

    • Save As: certificate type to generate from the CSR

    • Extension: file extension to use when saving generated certificates

    • Filename Format: filename to use pattern for generated certificates

    1. In the CA Password field, enter the CA certificate’s password.


    2. In the Save As field, specify the type of certificate(s) to generate and the file extension to use, either by selecting from the drop-down list or by entering it.


    3. In the File Format field, you can define an alternate BFormat string to use when generating the signed certificate filenames. By default the BFformat string for the original CSR filename is used. Click Help button (?) for details on how to define alternate filenames.


  3. TheCertificate Signing Request Manager is a standard Workbench manager view. If you wish, select and edit any listed CSRs as needed.
    Properties that you can edit are:

    • Filename

    • Subject

    • Not Before: specified date/time

    • Not After: specified date/time

  4. Once all edits are completed, click Generate.
  5. In the Chooser window navigate to select the directory location for saving the generated signed certificates and click Choose.
  6. In the Confirm Generating Certificates window, click OK to continue.


  7. In the Certificate Generation Result window, click OK to close the window.


The procedure is complete. You successfully generated one or more signed certificates which are saved to the indicated directory.