Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Engineering

Setup Global using Transport Security with certificate Authentication (https)

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Setup Global using Transport Security with certificate Authentication (https)

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedNov 27, 2025
  • 4 minute read

Note:
For message security the existing procedures should be followed for setting up certificates.

Certificates

When communications happen between two locations, for example, a hub and a satellite. When the hub sends a request and satellite sends some data back, the hub acts as a client (sending) and satellite as service (listening) and vice versa. To run Global using https, two certificates per location are needed. A service certificate when the location demon acts as a service (listening) and one client certificate when that location acts as a client (sending).

The certificates should be procured only from a trusted Certificate Authority (CA) (Self signed certificates can't be used for https)

To request a certificate from internal CA first generate a base 64 encoded public key of the certificate. This can be done using Internet Information Service (IIS), open IIS and double click Server Certificates.

  1. From the Server Certificates window, select Create Certificate Request.

    The Request Certificate window is displayed.

  2. Populate the Distinguished Name Properties pane of the Request Certificate window as follows:

    Common Name: For Service Certificate AVEVA strongly recommend that the common name should be the daemon machine name.

    Note:
    If you have to give a different common name (for example the machines IP address or <machine>.<domain>.com) the base address expected and used by global needs to be edited in the "baseAddress" Value of globalwcfclient.config and admindwcf.exe.config files in global installation folder and globalwcfclient.config file of Administration, Global, E3d etc. This will represent a considerable effort as these files exist on each users machine.

    Note:
    Client Certificate common name can be ANY text except machine name as it was already used for service certificate

    • Organization: Company/organization name (AVEVA Solutions Ltd for example)

    • Organizational Unit: Business unit name

    • State: Geographic state (Cambridgeshire for example)

    • City/Location: Geographic city (Cambridge for example)

    • Country: Geographic country (GB for example this is governed by a list of valid two letter codes)

  3. Click Next

  4. Populate the Cryptographic Service Provider Properties pane of the Request Certificate window as follows;

  5. Select Microsoft RSA SChannel Cryptographic Provider

  6. Select 2048

    Note:
    Use a key size of 2048 (anything smaller will be rejected)

  7. Click Next

  8. From the File Name pane of the Request Certificate window, enter a name and save the .cer file then click Finish.

    Note:
    This creates a .cer file ready for the CA to produce the certificate.

Certificate Binding

Once the service certificate is installed it needs to be bound with ip address and port number. This needs to be done by executing the netsh command in command prompt with administrator privilege.

First check if any certificate is already bound to the ip address and port number to be used. Open command prompt in administrator mode and type netsh http show sslcert, to display the list of any existing certificates and bindings.

Delete an existing certificate binding

To delete an existing certificate binding execute netsh http delete sslcert ipport=0.0.0.0:8009
0.0.0.0 represents ip address and translates to machine name, 8009 is the port number we to be cleared for use as an https communication.

Add a certificate binding

To add a certificate binding execute netsh http add sslcert ipport=0.0.0.0:<port> certhash=<certificate thumbprint> appid={0e1409bd-eee7-4bcd-a52e-8c6c78569e2f}

Certificate Thumbprint

To get the certificate's thumbprint, navigate to the certificate installed in Personal folder in MMC and click Details. Scroll to the bottom to find the certificate’s thumbprint value.

The appid parameter is a GUID that can be used to identify the owning application.

Note:
Any random guide can be provided which works well. For example: netsh http add sslcert ipport=0.0.0.0:8009 certhash=8b89057c9a63374b3ef2fa263200fb83c64ca105 appid={0e1409bd-eee7-4bcd-a52e-8c6c78569e2f}

Note:
For more information about configuring certificate with ports from Microsoft, refer to Configure a Port with an SSL Certicate - WCF

Related Links
TitleResults for “How to create a CRG?”Also Available in