Server Certificates for Configuration Hub

Server-side certificates allow for secure connections between the REST services running and the Configuration Hub web server. The SSL certificate for Configuration Hub is valid for two years and must be regenerated after it expires. If you need to regenerate your certificates use the following steps.

Self-Signed Certificates for Configuration Hub

Use the following steps to update your self-signed certificates for Configuration Hub:
  1. Either remove or backup the certificate files in C:\Program Files (x86)\GE\ConfigurationHub\ConfigHubPki folder.
  2. Open a command prompt as an administrator in the C:\Program Files (x86)\GE\ConfigurationHub directory.
  3. Enter the following command to create new self-signed certificates:
    restart_confighub.bat "C:\Program Files (x86)\GE\ConfigurationHub" "C:\Program Files (x86)\GE\ConfigurationHub\Web" 5678 4890 htclab.ge.com

    where "C:\Program Files (x86)\GE\ConfigurationHub" is the Configuration Hub install directory, C:\Program Files (x86)\GE\ConfigurationHub\Web is the directory where the Configuration Hub niginx server resides, 5678 is the Configuration Hub authentication service port (Not used any more), and 4890 is the Configuration Hub server port.

  4. Copy the server_cert.crt and server_cert.key files the from C:\Program Files (x86)\GE\ConfigurationHub\ConfigHubPki folder to the C:\Program Files (x86)\GE\ConfigurationHub\Web\conf folder.
  5. Restart the computer.

Self-Signed Certificates for iFIX with Configuration Hub

Use the following steps to update your self-signed certificates for iFIX:
  1. Open iFixConfigServiceCertTool.exe as an administrator. This tool is found in the C:\Program Files (x86)\GE\iFIX\ folder. The iFIX Configuration Service Certificate Tool appears.
  2. Click Delete Certificates, and then click Delete Certificate Binding.
  3. From the Windows File Explorer, remove or backup the certificate files in C:\Program Files (x86)\GE\iFIX\LOCAL\iFIX_OpcuaConfigService\pki directory.
  4. From iFIX Configuration Service Certificate Tool, create the new certificates by clicking on the Create Certificates button.
  5. After the new set of certificates are created, ensure that the certificate thumbprint is different in the iFIX Configuration Service Certificate Tool. If they are not different, the new certificates are not created.
  6. Copy the iFIX_OpcuaConfigServer.crt and iFIX_OpcuaConfigServer.key files from C:\Program Files (x86)\GE\iFIX\LOCAL\iFIX_OpcuaConfigService\pki into the C:\Program Files (x86)\GE\iFIX\web\conf directory.
  7. Restart the computer.

External Certificates for Configuration Hub and iFIX

Use the following steps to configure an externally issued server certificate for Configuration Hub and iFIX.

  1. Obtain the private key, server certificate, and the CA bundle that contains the certificates for the issuers. Typically, the private key is generated by you or someone in your organization, and the certificate vendor provides you with the server certificate and the CA bundle.
  2. If you received the certificates and the private key in other formats (such as PFX), consult your vendor on how to obtain them as or convert them into PEM files. The web server used by Configuration Hub, Nginx, uses base-64 encoded PEM files for certificates and keys. For more information, refer to the following links:

    http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

    http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key

  3. In a text editor, open the PEM file and locate the multiple certificates mentions; each certificate is enclosed by an opening line:
    -----BEGIN CERTIFICATE-----
    and a closing line:
    -----END CERTIFICATE-----
  4. Confirm that the server certificate appears first in this certificate PEM file, followed by the CA certificates in the CA bundle.
  5. For Configuration Hub, copy the root and server certificates and key files into the C:\Program Files (x86)\GE\ConfigurationHub\ConfigHubPki folder, and the server certificate and key files to the C:\Program Files (x86)\GE\ConfigurationHub\Web\conf folder. (In Configuration Hub the nginx server certificate files are named: server.crt and server.key.)
    Note: If there is a name change, then the nginx.conf file in the C:\Program Files (x86)\GE\ConfigurationHub\Web\conf\nginx.conf folder also must be updated with the correct file names.
  6. If iFIX is used with Configuration Hub, copy the root and server certificates and key files into the C:\Program Files (x86)\GE\iFIX\LOCAL\iFX_OpcuaConfigService\pki folder, and the server certificate and key files to the C:\Program Files (x86)\GE\iFIX\web\conf folder. (In iFIX, the nginx server certificate files are named: iFIX_OpcuaConfigServer.crt and iFIX_OpcuaConfigServer.key.)
    Note: If there is a name change, then the nginx.conf file in the C:\Program Files (x86)\GE\ConfigurationHub\Web\conf\nginx.conf folder also must be updated with the correct certificate file names.
  7. Also for iFIX, edit the ifix_config_service.json file (found in the C:\Program Files (x86)\GE\iFIX\LOCAL folder) with the correct certificate file names. The following fields must be updated in this file:
"rootCertificateName": "iFIX_OpcuaConfigRoot", 
"serverCertificateName": "iFIX_OpcuaConfigServer", 
"serverCertificatePassPhrase": "75D43CAAC1E440F08080D7E4A58AE941", 
"generateSSLCerts": false 
Important: The "generateSSLCerts" field must be set to false if external certificates are used.