Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Work Tasks

TABLE OF CONTENTS

Web API Server Configuration

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJul 19, 2023
  • 4 minute read

Enable Client Certificate Mapping Authentication

  • In Windows features, select Server Roles, and enable Client Certificate Mapping Authentication option.

Generate and Install Root Certificate

  1. To generate the root certificate,

    1. Run the Command prompt and navigate to the makecert tool.

    2. Execute the below command:

      makecert -n "CN=<FQDN>" -r -sv ClientRootCA.pvk ClientRootCA.cer

      Replace <FQDN> with the fully qualified domain name of the machine (i.e. the computer name with the domain).

      The certificate is generated in the same path.

    Note: The makecert utility is part of the Windows SDK.

  2. To install the certificate,

    1. Run MMC on your machine. Then click File > Add/Remove Snap-in.

    2. Select Certificate and click Add>.

    3. Select Computer account option in the Certificates snap-in dialog box and click Next.

    4. Select Local Computer option in the Select Computer dialog box and click Finish.

    The generated certificate will be available at Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates

Generate and Install Client Certificate

  1. To generate the client certificate,

    1. Run the Command prompt and navigate to the makecert tool

    2. Execute the below command:

      makecert -sk MyKeyName -iv ClientRootCA.pvk -n "CN=<username>" -ic ClientRootCA.cer -sr currentuser -ss my -sky signature -pe

      where, <username> is the current user name you have logged with.

  2. To install the certificate,

    1. Run MMC on your machine. Then click File > Add/Remove Snap-in.

    2. Select Certificate and click Add>.

    3. Select My user account option in the Certificates snap-in dialog box.

    4. Click Finish.

    The generated certificate will be available at Certificates (Current User) > Personal > Certificates.

    Export the Generated Certificate

    To export the certificates for client authentication:

    1. Navigate to Console Root\Certificates - Current User\Personal\Certificates.

    2. Right-click on the generated certificate, click All Tasks and then click Export.

    3. In the Certificate Export Wizard,

      • Select Yes, export the private key option to export certificate with the private key.

      • Select No, do not export the private key option if you do not want the private key.

    4. To export the certificates with private key (.pfx certificate) for client authentication,

      1. In the Certificate Export Wizard, select Yes, export the private key option to export certificate with the private key.

      2. Select the Personal Information Exchange PKCS #12 (.PFX) option. Select the Include all certificates in the certification path if possible and the Export all extended properties check boxes and then click Next.

      3. Provide the password and click Next.

      4. Specify the location and name for the file to be exported. Click Next and then click Finish.

        The certificate with private key is available for client authentication.

    5. To export the certificates with public key (.CER certificate) for client authentication,

      1. In the Certificate Export Wizard, select No, do not export the private key option.

      2. Select the Base-64 encoded X.509 (.CER) option and click Next.

      3. Specify the location and name for the file to be exported. Click Next and then click Finish.

        This certificate is used for IIS client certificate mapping authentication

      Configuring IIS Mapping

      1. Open IIS to configure your site to map website to client certificate.

      2. Click on your website and double click on Authentication.

      3. Disable all authentication types.

      4. Open Configuration Editor in Management Section.

        • In the Section, enter system.webServer/security/authentication/iisClientCertificateMappingAuthentication.

        • For the enabled property, enter True.

        • For the oneToOneMappingsEnabled property, enter True.

      5. Click the oneToOneMappings property.

      6. In the Collection Editor dialog box, click Add.

      7. For the certificate property, copy and paste the public certificate that was exported (in step 5 of the section Export the generated certificate).

        Note: Open the Public certificate in the notepad and copy the encrypted certificate value in a single line.

      8. For the enabled property, enter True.

      9. Enter the valid Windows username and password which is used to login to the server machine.

      10. Close the dialog box and click Apply.

        Mapping to your site is completed.

      11. Import the certificate in IIS and edit Site Bindings.

        • Under Type property, select https.

        • Under SSL certificate property, select the certificate.

      12. Click the SSL Settings and select Require SSL check box.

        Select the Require SSL checkbox and under the Client certificates section, select the Require option to make any client connection require a certificate to the site.

        Modify Registry

        • Modify/Add 'ClientAuthTrustMode' key in the Registry Editor under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL.

          Embedded Image (65% Scaling) (LIVE)

          Add value as 2 for ClientAuthTrustMode Key.

        TitleResults for “How to create a CRG?”Also Available in