Install Proficy Historian Certificates on Different Computers
Distributed and Mirror Setups
For MTLS certificates for Historian, be aware of the following steps when working with distributed/mirror setups:
- You will need to generate root certificate on one machine and copy the certificate to all machines that are part of distributed or mirror network. For steps on how to generate the root certificate on the first machine, see the Install Certificates for Proficy Historian topic.
- These root certificates need to be copied into the MTLS folder of Proficy Historian install path on all machines.
- Add the root certificate to the “Trusted Root Certification Authorities” store on all machines.
- Core service certificates can be generated separately on each machine.
- The same password that was provided while creating the original root certificate, needs to be used for creating core service certificates across all of the machines.
- Primarily in this setup, root certificates are common across the machines. Core service certificates will be created separately for each machine. However, the same password that was provided to create the root certificate will be used across machines while creating core service certificates.
- The procedure to create the core service certificates is same as mentioned in the Install Certificates for Proficy Historian topic.
Cluster Nodes
Generate a root certificate and certificates for core services separately on each cluster node that is part of the cluster environment.
Existing Root Certificates
If you want to use existing root certificates for MTLS support with Historian, be aware that:
- You can use your existing root certificates for signing the core service certificates.
- To use existing root certificates, follow the requirements below (instead of generating the certificate through the CreateRootCertificate.exe). You can choose to use your existing root certificates if above criteria matches the list below.
Requirements for Using Existing Root Certificates:
- Certificates must be in X.509 standard.
- You must have .cer and .pfx format certificates that have public and private keys respectively, already generated.
- The .pfx files need to be password protected.
- The following attributes or subjects needs to be set in the file:
Attribute Description Setting CN Common Name CN = Historian@Proficy@GEDigital@GE OU Organization Unit OU = MFG O Organization O = ProficyHistorian L Local Name L = HYD S State or Province S = TG C Country Name C=IN - Instead of generating the root certificates from
CreateRootCertificate.exe
, you can choose to use your own root certificates if the above criteria matches. - Use the
MTLSCertificatesInstall.exe
utility for generating all the core service certificates.
Root Certificates on Microsoft Windows 7 Machines
Note: These steps only apply to versions of Historian that support
Microsoft Windows 7 (Historian 7.0 - Historian 7.2).
To generate a root certificate on a Windows 7 machine, do the following:
- From a command prompt enter mmc.exe. The Windows MMC appears.
- On the File menu, select Add/Remove Snap-in.
- Click Add, and then double-click Certificates and then select Computer Account.
- In the Select Computer screen, select Local Computer.
- Click Finish.
- Click OK.
- With the snap-in now on the local computer, import the certificate into
"Certificates (Local Computer) > Trusted Root Certification Authorities"
folder:
- In the Certificates folder in the navigation pane, browse to the Certificates (Local Computer) > Trusted Root Certification Authorities folder.
- From the Actions menu, click All Tasks. The Certificate Wizard appears.
- Click Next.
- On the next screen, navigate to the folder where the ica_key.cer certificate file resides. By default this path is: InstallationDrive:\Program Files\Proficy\Proficy Historian\MTLS.
- Select the ica_key.cer certificate file, and click Next.
- Select Place All Certificates in the following store, and then browse and select the Trusted Root Certification Authorities store.
- Click Next. The final summary screen appears.
- Click Finish. A message appears when the import is complete.
- Click OK.
- Before closing the MMC, Save your settings.