Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Production Management

TABLE OF CONTENTS

Set up the SSL trusted certificate

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedNov 07, 2024
  • 2 minute read

The Web API uses trusted certificates for authentication. Perform the following steps using the PowerShell commands to obtain the SSL trusted certificate.

Note: If you are using the Web API with AVEVA Work Tasks, you need to generate a global trusted certificate through System Management Server in AVEVA Enterprise License Server.

  1. Create the root certificate.

    Example command:

    $params = @{
    DnsName = "Your_CA_Machine_Name.domain.com"
    KeyLength = 2048
    KeyAlgorithm = 'RSA'
    HashAlgorithm = 'SHA256'
    KeyExportPolicy = 'Exportable'
    NotAfter = (Get-Date).AddYears(5)
    CertStoreLocation = 'Cert:\LocalMachine\My'
    KeyUsage = 'DigitalSignature','KeyEncipherment','DataEncipherment','CertSign','CRLSign'
    TextExtension = @("2.5.29.37={text}1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2")
    }
    $rootCA = New-SelfSignedCertificate @params

  2. Create the server certificate signed by the new root.

    Example command:

    $params = @{
    DnsName = "Server_Name_Hosting_Service.domain.com"
    Signer = $rootCA
    KeyLength = 2048
    KeyAlgorithm = 'RSA'
    HashAlgorithm = 'SHA256'
    KeyExportPolicy = 'Exportable'
    NotAfter = (Get-date).AddYears(2)
    CertStoreLocation = 'Cert:\LocalMachine\My'
    TextExtension = @("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
    FriendlyName = 'Hosting Service'
    }
    $serverCert = New-SelfSignedCertificate @params

  3. Add self-signed root to the trusted root certificate store of the current Windows client. You can use PowerShell or open Microsoft Management Console (MMC) to see the newly generated certificate.

    When exporting the certificate to make it a trusted certificate, ensure to select the no, do not export the private key option.
    Example command:

    # if you want to silence the cert warnings on other systems you'll need to import the rootCA.crt on them too
    Export-Certificate -Cert $rootCA -FilePath "C:\certs\rootCA.crt"
    Import-Certificate -CertStoreLocation 'Cert:\LocalMachine\Root' -FilePath "C:\certs\rootCA.crt"

  4. Reserve the Web API URL. The default port for the Web API based URL is 9003.
    Example command:
    Use command line as administrator

    netsh http add urlacl url=https://+:9003/ user=domain\ckent

    You can modify the default port number if necessary. For more information, refer to Modify the default port for the Web API based URL.

  5. Bind SSL certificate.

    1. Use appid 16b24589-0b76-44fa-a82d-3c017066774b for AVEVA Production Management API.
      Example command:
      Use command line as administrator

      netsh http add sslcert ipport=0.0.0.0:9003 appid={16b24589-0b76-44fa-a82d-3c017066774b} certhash=ba1155d8276875dcec977ef479f2fec2c936122f

    2. Get server certificate thumbprint from the certificate console.
      Example command:

      Get-ChildItem -Path Cert:\LocalMachine\MY | Where-Object {$_.Thumbprint -Match "‎f0ed296"}

  6. Lists the Discretionary Access Control Lists (DACLs) for the specified reserved URL.
    Example command:
    Use command line as administrator

    netsh http show urlacl url=https://+:9003/

  7. Show the certificate.
    Example command:
    Use command line as administrator

    netsh http show sslcert ipport=0.0.0.0:9003

TitleResults for “How to create a CRG?”Also Available in