Generate MTLS Certificate

If you want to connect a distributed/mirror node to a Historian primary mirror server, or if you want to connect your collectors to a remote historian server, you must generate the client certificates (MTLS Certificate) specific to the distributed/mirror node or collector machine. This will create the needed machine specific certificates and registries. You can also generate core services certificates if needed.

Before you begin

You must install the distributed/mirror node, or in the case of collectors, you must install collectors.

To generate client certificates (MTLS certificates), run the MTLSCertificatesInstall.exe utility from the command prompt with Administrator privileges.

Procedure

  1. Launch from the command prompt with Administrator privileges in the following format: C:\Program Files\Proficy\Proficy Historian\MTLS\MTLSCertificatesInstall.exe [Password] [Certificate Validity] [Create only client Certificate] [Remote Historian Machine Name]
    For example, 
    C:\Program Files\Proficy\Proficy Historian\MTLS\MTLSCertificatesInstall.exe P@55W0RD 3650 1 DemoServerName

    The MTLSCertificatesInstall.exe utility takes the following arguments:

    Argument Description
    Password Specifies the word or phrase that you use to protect your certificate. The Password argument is mandatory, whereas Number of Days is optional. An example Passphrase is: P@55w0rd.
    Note: The same Password used for creating the root certificate needs to be used here. This is so that the Password will be same while passing the argument between executables. The MTLSCertificateInstall.exe utility uses this password to open the root certificate private key (ica_key.pfx) and sign the core services certificates.
    NumberOfDays

    Optional. Specifies the Number of Days for the root certificate to be valid. After the specified days, the certificate validity expires.

    If you do not pass any value for Number of Days, the setting defaults to 365 days. For example, if the Number of Days is 3650, the certificate is valid for 10 years from the generated date.
    CreateOnlyClientCert Specifies that only client certificates with a root certificate password must be created. You must enter 1 to install only the client certificates.
    RemoteHistorianMachineName Specifies the remote Historian server to which you want to connect to.
    The client certificates are created and added to the Trusted Root Certification Authorities Folder. For example, if the machine name is Node1, the certificates are created as Node1.cer and Node1.pfx.
  2. After the required certificates are generated, restart the machine. Without valid certificates, core services cannot establish connections to each other.