Automatic certificate renewal with Platform Common Services (PCS)
- Last UpdatedNov 21, 2025
- 2 minute read
- PI System
- PI Server 2024 R2
- PI Server
Automatic certificate renewal can be managed by Platform Common Services (PCS). The topics in this section explain how to configure PCS certificates for the following PI Server installation scenarios:
-
TLS configured at installation: You selected the option for automatic TLS certificate renewal during installation (with specific options differing for Data Archive and AF products). See Configure PCS certificates at installation
-
TLS configuration after installation: If TLS certificate renewal wasn't configured at installation due to preference or oversight, you will need to set it up manually after installation. See Configure PI System Services to use PCS after post-installation.
Overview of PCS certificate management
The System Management Server (SMS) is where PCS certificate management is handled across the PI System platform, and it ensures that TLS encryption is applied to all PI System components. The AVEVA Identity Manager (AIM) server is located on the System Management Server, and acts as a core service in the PCS framework. PCS hosts both the AVEVA Identity Manager and the System Management Server. PCS certificates apply to all PI Server components selected at installation. Configuring PCS certificates enables automatic certificate rotation for all installed PI components and services.
It is strongly recommended to install PI Server services on separate nodes from the System Management Server. To receive and apply certificates from the System Management Server, PCS for the PI System should be installed and configured to point to the System Management Server on all PI Server nodes. For more details, see Connect a machine to a System Management Server.
Note: PI Client nodes must trust certificates used by PI Server in order to use OpenID Connect (OIDC) authentication. To establish this trust relationship, add the PCS SMS root certificate to the Trusted Root Certificate store in Windows or install the PCS Framework on the client node and then configure the PCS SMS server location. Follow these two steps to install the root certificate on a client node: 1) Export the <machine name> ASB Root CA from the PCS-Framework SMS node; 2) Import the certificate to the client node.