Results 1 to 12 of 12
  1. #1
    Join Date
    Jul 2009
    Location
    Wa
    Posts
    432
    Post Likes

    N4 Certificates??

    My recent job is at a local software company which has required secure everything. Well I had never been through the process, and it has went really poorly. First off full disclosure here, I have no dang clue how this all works, and if anybody has a dummies version of how to set this up that would be great. I have found several docs that have been somewhat helpful but again kind of the slow type here, so understanding this has been a challenge. So moving forward the IT guy has helped with the process, and we've got nowhere except completely locking ourselves out of the Jace. Which ended requiring me to factory reset the jace, and recommission to get back in. Really still don't know exactly what happened? This is my dummies version of the process we used. He created a knew server type cert in tridium then clicked the cert request which created the .csr file. He took that to his IT world and created a signed certificate. When he brought it back we imported the cert in the Trust store, and the key store. Then we setup the cert in the web service, fox service, and the platform TLS. Well none of that worked. So he thought maybe we need a CA type cert. He created that one signed it, and brought it back,and tried to import. This is where the problems started. It kept giving him some error when he would enter his key password, so we attempted a reboot. I was never able to connect to platform, or the station again! It would fail to start the web server and all I came up with is the server type cert that we selected was not the same as the CA type he just imported and that sent the Jace to PO mode?? Well after tech support and I tried for hours to get it back. We factory reset the thing, and all is good except I still need to figure out this cert thing. Sorry for the long winded post, and maybe I'm making this way more complex than it is?? But I just have scramble brains when it comes to the cert stuff.

  2. #2
    Join Date
    Jun 2006
    Location
    New Jersey
    Posts
    4,417
    Post Likes
    Been working with Tridium on getting a 3rd party signed wild card certificate to work in Tridium. Going on 2 months now. I feel your pain.

    Last statement from Tridium:
    "I think that I have a potential workaround and am waiting on the steps to be outlined by one of the developers. Although it should work it may be overly complicated and if we can figure out a way for them to generate a certificate that works in the first place it will be simpler."

    Well duh! Just tell me what works from a 3rd party. Self signed works great and there is a lot of documentation. 3rd party support is a joke. Tridium only supports one file format and it has to be an certain order.

    Like you, I very inexperienced with SSL. I'm a controls guy. Would love to just have our client's IT company talk to someone at Tridium and figure it out. But NO......we need to go through 50 emails and 5 parties...with no conclusion.

  3. #3
    Join Date
    Oct 2014
    Location
    Columbus, Ohio
    Posts
    1,500
    Post Likes
    As an IT guy, it pains me to see the amount of trouble that third parties go through to achieve what should be extremely simple to do with most operating systems. On my Linux systems, I have a cron job running that automatically renews my Let's Encrypt certificate, and I never have to worry about it again.

  4. #4
    Join Date
    Jan 2003
    Location
    USA
    Posts
    5,177
    Post Likes
    Let's encrypt wouldn't work on the typical site as the jaces wouldn't and shouldn't be exposed to the internet which let's encrypt requires for verification. You also have the issue of CAs no longer able to sign certs for hosts with internal/reserved IPs or names. Can't have my internal cert valid for your site . https://www.globalsign.com/en/blog/c...ernal-servers/ Getting a CA cert that's publicly accepted I assume is a going to be a PITA if possiable. Guessing its going to get complicated real fast if you want publicly accepted certs for internal hosts. Anyone actually get this working?

    Bit ugly and it sure doesn't seem Tridium thought this out completely before telling everyone to go ssl. Adding self signed CA certs to the trust store seems equally questionable. Look at that, my TCC is minting google, bank of America, etc certs...
    Propagating the formula. http://www.noagendashow.com/

  5. #5
    Join Date
    Oct 2014
    Location
    Columbus, Ohio
    Posts
    1,500
    Post Likes
    Quote Originally Posted by orion242 View Post
    Let's encrypt wouldn't work on the typical site as the jaces wouldn't and shouldn't be exposed to the internet which let's encrypt requires for verification. You also have the issue of CAs no longer able to sign certs for hosts with internal/reserved IPs or names. Can't have my internal cert valid for your site as well. https://www.globalsign.com/en/blog/c...ernal-servers/

    Bit ugly and it sure doesn't seem Tridium thought this out completely before telling everyone to go ssl.
    Yeah I got that, I was just commenting on the difficulty level difference between a "normal" server and most BAS systems that are shipped in much lower volumes and designed by (fewer) folks that are less IT and more controls, for better or worse. I don't know anything about Tridium specifically, but does their implementation really require a "real" CA as opposed to a company's normal internal CA? I've seen some pretty horrific HTTPS implementations in certain hardware such as cheap routers, so I am acutely aware of how easy it is for a manufacturer to make things harder than necessary because they don't understand all the moving parts in the SSL/TLS ecosystem.

    For example, if this is a *nix based system, and you have any sort of SSH access, it should be possible to install any sort of cert you want with minimal hassle. If on the other hand you only have the ability to upload a config that was generated by a GUI tool, things could be a lot harder to figure out. For externally-available, internet-connected devices, you generally should only need to get the CSR, generate the certificate, and provide that along with any required intermediate certs to the system. If the system isn't smart enough to go get the intermediate certs when they aren't explicitly provided, you will have to integrate them into the main cert file in a "chain".

  6. #6
    Join Date
    Jan 2003
    Location
    USA
    Posts
    5,177
    Post Likes
    As the others have found out Tridium only accepts a specific file format, and even then it the cert chain needs to be in a specific order for it swallow it. Niag central has posts about this.

    Tridium does not need a CA cert, just the standard cert any other web server would need. With workbench you can generate the CSR which you can have signed assuming you worked out all the other issues. Its not a hassle to work with selfies using the provided software, though going as far as installing selfie CAs in the trust store wouldn't be my first choice. Just click thru the warnings... If the sites IT department already has a CA cert in the trust store of all the company PCs, then its going to be fairly easy. Publicly accepted certs for internal hosts, never done it. Sounds like a major headache with all the road blocks because these are normally internal hosts.
    Propagating the formula. http://www.noagendashow.com/

  7. #7
    Join Date
    Jul 2009
    Location
    Wa
    Posts
    432
    Post Likes
    Thread Starter
    Well its threads like this that make me think I should go back to lugging compressors across roof tops! I have been reading on the subject on Niagara Central, and think I might have a vague understanding of using workbench and creating a certificate. My confusion is still what happens when the customer signs the thing?? Would you just create a .csr have him sign it, and then import it into the jace?? I also see that it can only be a .pem file type this is for sure one of the issues I was facing earlier. I'm not sure if the steps are needed creating the root authority and CA in workbench if the customer signs the thing?? Sorry for all the data mining this week the customer wants this done, and myself and the IT guy are going to take another stab at this. AC mechanic guy turned control guy struggling here!!

  8. #8
    Join Date
    Oct 2014
    Location
    Columbus, Ohio
    Posts
    1,500
    Post Likes
    For your implementation-specific questions, I don't have the answers to those.

    But as far as .pem files go, they technically contain the same format as .crt, that is to say Base64 encoded certificate data. If you you are being given some other format such as .p7b, .pfx, .der, etc., you can usually convert those to the correct format using OpenSSL and some googling to find the right flags to type into the command line. The file should have the server certificate, followed by any intermediate certificates, followed by the root certificate in that order.

  9. #9
    Join Date
    Jan 2003
    Location
    USA
    Posts
    5,177
    Post Likes
    Quote Originally Posted by Norriski Tech View Post
    My confusion is still what happens when the customer signs the thing?? Would you just create a .csr have him sign it, and then import it into the jace?? I also see that it can only be a .pem file type this is for sure one of the issues I was facing earlier. I'm not sure if the steps are needed creating the root authority and CA in workbench if the customer signs the thing??
    You create the signing request in WB, give them the .csr file. It comes back you import it in to the jace/super key store. You don't need the root authority as it sounds like the IT department has a CA cert and they will sign everything. Depending on their CA cert, you may also need to import their public key. If its a selfie, Tridium isn't going to just accept it.

    Look over docSSL, its fairly good on explaining the process.

    And to keep from locking yourself out, when you think things are good, enable SSL but don't set force SSL to true. Test the connections between the super / jace / browers, with SSL and if it works, then force ssl use.
    Propagating the formula. http://www.noagendashow.com/

  10. #10
    Join Date
    Jun 2006
    Location
    New Jersey
    Posts
    4,417
    Post Likes
    Again, it comes down to you need to use Tridium's certificate software to either self sign certificates or generate a certificate for a 2nd party to sign.

    How successful has everyone been with getting 3rd party to sign their certificates? Alot of companies are using wild card .pfk certificates with wild cards. How is everyone dealing with that?

    Tridium's SSL implementation is way behind the times.

  11. #11
    Join Date
    Jan 2003
    Location
    USA
    Posts
    5,177
    Post Likes
    Far as converting, I would ask IT for it in a format Tridium can suck in. If that falls flat, openvpn though I'm sure their are easier tools.

    Wild card as in for *.domain.com? Guessing that is what you will need for internal hosts along with local dns entries. Even if you could get away without dns entries, seems like a huge pita waiting if the addresses need to shuffle.
    Propagating the formula. http://www.noagendashow.com/

  12. #12
    Join Date
    Mar 2019
    Posts
    1
    Post Likes
    Somebody mostly answered this; so I'm just filling in some detail asked by forum. I was successful using (free, no adware) Keystore Explorer and notepad++. The end result should be a text file with an extension PEM; so mynewcert.pem which will look like:

    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEAgQKq1lgx8eWQ3yWj...
    -----END RSA PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIIHoTCCBYmgAwIBAgITfAAAIdKyK...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIHvjCCBaagAwIBAgITRwAAAAMsq...
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIHvjCCBaagAwIBAgITRwAAAAMsq...
    -----END CERTIFICATE-----

    First is the private key (not-encrypted) - See below
    Second is the CA reply to your CSR
    Third is the CA intermediate cert (sometimes just a root)
    Forth is the CA root cert

    openssl pkcs12 -in MyCertKeyStore.pfx -nodes -nocerts -out key.pem
    keytool does not have a method to export key, but keystore explorer (free) allows export key (uncheck export password)

    Cert just slips right into Niagara cert manager. If you use cert manager to generate your CSR then you may not need the private key as it will be within the cert manager.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Contracting Business
HPAC Engineering
EC&M
CONTRACTOR