Use the OIDC Configuration tool to configure TLS certificate renewal

PI Server services can be configured to use certificates for TLS communications. The preferred recommended method for manual custom certificate renewal is the OIDC Configuration tool. The OIDC Configuration tool enables you to specify the thumbprint for all PI Server certificate owners.

Running the OIDC Configuration tool completes these tasks:

• Enables read permissions on the certificate's private key for each PI Server service

• Adds those services to the PIServerTLSWindowsGroup windows group when Platform Common Services (PCS) certificates are not used and custom certificates are configured

  Note: The OIDC Configuration tool is the recommended method for configuring manual, custom certificates. OIDC Configuration tool errors are logged at C:\ProgramData\OSIsoft\Setup\log\Aveva.PI.OIDCConfigurationTool.log.

Configure TLS certificates with the OIDC Configuration tool

1. Run the following command with administrative privileges from the %PIServer%adm folder, omitting any service flags that do not apply to your node:

   Aveva.PI.OIDCConfigurationTool.exe /CERTIFICATETHUMBPRINT:<Thumbprint> /AFSERVER /PIDATAARCHIVE /PINOTIFICATIONS /PIANALYTICS

   Configures Data Archive, AF Server, PI Notifications Service, and PI Analysis Service to use the same certificate.

2. Restart all AF services and Data Archive to apply the changes.