Create Self-Signed OpenSSL Certificate for NLB

Overview

For secure traffic between Historian collectors and to access containerized Configuration Hub and Proficy Authentication with Cloud Historian, an SSL certificate is required to be used with NLB.

When you deploys Historian on AWS 2024 with the Cloud Formation Template, there are two options related to SSL certificates:

• Leave SSL Certificate Arn parameter empty: In this case, a self-signed SSL certificate will be created by the CFT using OpenSSL command in an AWS Lambda function.
• Provide arn of SSL certificate already uploaded to either AWS ACM / IAM: In this case, CFT will not create a self-signed SSL certificate; instead you must provide the SSL certificate to be used with NLB listeners.

In both the cases, the SSL certificates are created without any knowledge of the NLB DNS. The NLB DNS will only be known when CFT deployment completes. Due to this, when you access Configuration Hub or Proficy Authentication deployed with Historian CFTs, a Non-secure field will be displayed on the web browser, as shown in the following figure.

To prevent browser from displaying the Non-secure field, you need to create an SSL certificate by providing NLB DNS in SAN (Subject Alternative Names) field. To create such an SSL certificate, you can use the openssl package in Linux based systems, by issuing the following commands:

openssl genpkey -algorithm RSA -out ./nlb-key.pem -pkeyopt rsa_keygen_bits:2048
openssl req -x509 -new -nodes -key ./nlb-key.pem -sha256 -out nlb-cert.pem -subj "/O=ProficyHistorian/OU=MFG/CN=CloudHistorian" -addext "subjectAltName = DNS:<NLB_DNS>" -days 3600

After executing the previous two commands, the private key (nlb-key.pem) and the certificate (nlb-cert.pem) will be created. The contents of these two files will be required later when uploading to AWS IAM / ACM:

Steps from the AWS Management Console

1. Access the AWS Management Console page.
2. From the AWS Management console, select the Region where Historian is deployed, and then EC2 > Load Balancers > Select Historian NLB > Go to Listeners.
3. Edit the Listener with port 5001 (Config Hub), as shown in the following figure:

   

4. Under the Default SSL/TLS server certificate, click on Import certificate. Select either import to ACM or IAM.

5. Provide the certificate private key (nlb-key.pem) and the certificate body (nlb-cert.pem) created in the previous steps and then Save Changes.

   

6. Repeat these steps for the Proficy Authentication listener (8080), except this time, use the already uploaded SSL certificate:
   

   Note: The following steps are for windows based machines:

7. Access the NLB with the 5001 port from a web browser.

8. View the certificate, and notice under the Certificate Subject Alternative Name field, that the NLB DNS is set.

   

9. Export this certificate and install the .crt file:

   

10. Select the Local Machine for the location, as shown in the following figure.

    

11. When prompted, select the Windows Trusted Root Certification Authorities store and complete the install.

    

12. Now, close all web browser tabs, restart the browser, and access the Historian NLB on port 5001.

    

    The Connection should now display as secure and a valid certificate will be displayed, as shown in the previous figure.