Use alternate methods for custom certificate renewal

There are two alternate methods for custom certificate renewal:

• The PI Diagnostic (pidiag) utility: Used to manually update certificates for Data Archive

• The AF Diagnostic (AFDiag) utility: Used to manually update certificates for AF Server

Prerequisite:

Perform the following step before using the pidiag or AFDiag utility:

• Ensure proper access: Verify that NT SERVICE\pinetmgr (for Data Archive) and NT SERVICE\AFService (for AF) have read access to the certificate’s private key. To help make managing private key read access easier, place NT SERVICE\pinetmgr and NT Service\AFService in a newly created group such as PIServerTLSWindowsGroup, and then grant the group read access to the certificate's private key.

Use the PI Diagnostic utility (pidiag) to register the new thumbprint (Data Archive only)

Note: This method can be used but is not recommended.

The pidiag utility is used to perform routine maintenance and other tasks for Data Archive. There are two commands you can use to register and verify Data Archive's certificate thumbprint:

• -tls --register

• -tls --verify

The register parameter sets the certificate thumbprint that Data Archive presents to clients when they attempt TLS communication. This command also confirms that the certificate is located in the Local Computer's "Personal" certificate store, has the required properties, and sets read permissions on the certificate's private key for PI Network Manager.

The -tls --verify command confirms that the certificate registered for PI Data Archive's TLS use is valid and that the permissions are set properly.

Instructions:

1. Open a command line prompt.

2. Navigate to ..\PI\adm directory.

3. Use the following command to register the new thumbprint:

   pidiag -tls --register <Thumbprint>

For more information on pidiag command line options, see pidiag command-line options.

To trigger certificate renewal post-installation for custom or manual certificates, see Use alternate methods for custom certificate renewal.

Using AFDiag Utility to register the new thumbprint (AF only)

This method allows you to change the certificate thumbprint or update the certificate validation mode directly via command-line. Certificate validation mode will also be used by AF Client applications on the same machine as the server.

Note: Although you can use the AFDiag utility to change the certificate thumbprint for AF Server, this method is not recommended.

4. Open a command prompt and navigate to the AF installation directory: cd %PIHOME64%\AF

5. To change the certificate thumbprint: AFDiag.exe /ct:<thumbprintValue>

6. To change the validation mode: AFDiag.exe /cvm:<modeValue>. The following validation modes can be used:

   • None: No validation of the certificate is performed.

   • AllowExpiredOrRevoked: This mode allows the system to accept certificates that have expired or been revoked.

   • SystemDefault: The default certificate validation mode of the system is applied, meaning it adheres to standard system security policies and practices for certificate validation.

7. Restart AF-related services for changes to take effect.

Note: Certificate renewal changes for Data Archive are found in both system event logs and Data Archive diagnostics logs. For Asset Framework products,log files that contain PowerShell-based certificate renewals are found in this folder: %programdata%\OSIsoft\Setup\log\Aveva.PI.OIDCConfigurationTool.log.