Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Production Management

TABLE OF CONTENTS

Set up the SSL certificate for WCF web services

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJun 19, 2024
  • 2 minute read

The WCF web services use trusted certificates when communicating over HTTPS. Perform the following steps using the PowerShell commands to obtain (if necessary) and register SSL trusted certificate.

Obtain the SSL trusted certificate

Note: You only need to perform this task if you don't already have an SSL certificate. Otherwise, proceed to registering the SSL trusted certificate that you have.

  1. Create the root certificate.

    Example command:

    $params = @{
    DnsName = "Your_CA_Machine_Name.domain.com"
    KeyLength = 2048
    KeyAlgorithm = 'RSA'
    HashAlgorithm = 'SHA256'
    KeyExportPolicy = 'Exportable'
    NotAfter = (Get-Date).AddYears(5)
    CertStoreLocation = 'Cert:\LocalMachine\My'
    KeyUsage = 'DigitalSignature','KeyEncipherment','DataEncipherment','CertSign','CRLSign'
    TextExtension = @("2.5.29.37={text}1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2")
    }
    $rootCA = New-SelfSignedCertificate @params

  2. Create the server certificate signed by the new root.

    Example command:

    $params = @{
    DnsName = "Server_Name_Hosting_Service.domain.com"
    Signer = $rootCA
    KeyLength = 2048
    KeyAlgorithm = 'RSA'
    HashAlgorithm = 'SHA256'
    KeyExportPolicy = 'Exportable'
    NotAfter = (Get-date).AddYears(2)
    CertStoreLocation = 'Cert:\LocalMachine\My'
    TextExtension = @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
    FriendlyName = 'Hosting Service'
    }
    $serverCert = New-SelfSignedCertificate @params

  3. Add self-signed root to the trusted root certificate store of the current Windows client. You can use PowerShell or open Microsoft Management Console (MMC) to see the newly generated certificate.

    When exporting the certificate to make it a trusted certificate, ensure to select the no, do not export the private key option.
    Example command:

    # if you want to silence the cert warnings on other systems you'll need to import the rootCA.crt on them too
    Export-Certificate -Cert $rootCA -FilePath "C:\certs\rootCA.crt"
    Import-Certificate -CertStoreLocation 'Cert:\LocalMachine\Root' -FilePath "C:\certs\rootCA.crt"

Register the SSL trusted certificate

  1. Bind SSL certificate.

    1. Use appid 16b24589-0b76-44fa-a82d-3c017066774b for AVEVA Production Management application.
      Example command:
      Use command line as administrator

      netsh http add sslcert ipport=0.0.0.0:8889 appid={16b24589-0b76-44fa-a82d-3c017066774b} certhash=ba1155d8276875dcec977ef479f2fec2c936122f

    2. Get server certificate thumbprint from the certificate console.
      Example command:

      Get-ChildItem -Path Cert:\LocalMachine\MY | Where-Object {$_.Thumbprint -Match "‎f0ed296"}

  2. Lists the Discretionary Access Control Lists (DACLs) for the specified reserved URL.
    Example command:
    Use command line as administrator

    netsh http show urlacl url=https://+:8889/

  3. Show the certificate.
    Example command:
    Use command line as administrator

    netsh http show sslcert ipport=0.0.0.0:8889

    TitleResults for “How to create a CRG?”Also Available in