Creating a Certificate

Digital certificates play an important role in securing communication in industrial automation. They authenticate systems to verify identities, ensure secure communication through encryption, and maintain data integrity by confirming that it hasn’t been altered. Certificates also control access to resources and help establish trust between systems, ensuring that only authorized entities can perform automated tasks.

Certificates are used on both the client and server sides of GENESIS. You can configure various GENESIS components such as Security, Web Services, OPC UA, or BACnet/SC to use certificates to secure communication between clients, servers, and other devices, especially when integrating with modern systems that require encrypted connections.

To create a digital certificate:

  1. Create a private key for the machine where the certificate will be used. You can use the PowerShell script provided in step 2.

  2. Create a certificate signing request (CSR) using the private key. The CSR contains information about the machine and the public key associated with the private key.

    The following parameters are commonly used in the CSR and provide identifying information about the machine and the organization.

    Code (Name)

    Description

    Syntax Example

    CN (Common Name)

    Typically the name of the machine or system

    YourCommonName)

    O (Organization)

    The name of your company or organization

    YourCompanyName

    OU (Organizational Unit)

    The department or unit within the organization associated with the device

    BuildingAutomation

    L (Locality)

    The city where the organization or device is located

    YourCity

    S (State or Province)

    The state or province for the organization’s location

    YourState

    C (Country Code)

    The country code, usually a two-letter code

    YC

    E (Email Address)

    The contact email address for the organization or administrator

    youremail@example.com

    You can include other optional parameters in the CSR to provide further context and verification details.

    Code (Name)

    Description

    SN (Serial Number)

    A unique identifier for the device. It is useful for tracking and management.

    SAN (Subject Alternative Name)

    A unique identifier for the device. It is useful for tracking and management.

    KU (Key Usage)

    Indicates the purpose of the certificate, such as digital signature or key enciphering, which helps ensure secure operations.

    EKU (Extended Key Usage)

    Specifies the intended applications, such as server or client authentication, which enhances the certificate’s role in network security.

    You can use the following PowerShell 7 script to generate the private key and the certificate signing request (Steps 1 and 2).

    # Define the details for the CSR $subject = "CN=YourCommonName, O=YourCompanyName, L=YourCity, S=YourState, C=YourCountry, E=youremail@example.com" # Path where the CSR is created $csrPath = "C:\temp\csr.pem" # Path where private key is created $privateKeyPath = "C:\temp\privateKey.pem" # Specify if RSA or EC cryptography algorithm is used $generateRSA = $false if ($generateRSA){ # Generate RSA private key with 2048-bit key size $rsaKey = [System.Security.Cryptography.RSA]::Create(2048) # Create the certificate request using RSA $request = New-Object System.Security.Cryptography.X509Certificates.CertificateRequest( $subject, $rsaKey, [System.Security.Cryptography.HashAlgorithmName]::SHA256, [System.Security.Cryptography.RSASignaturePadding]::Pkcs1 ) # Export the private key to PEM format $rsaKey.ExportPkcs8PrivateKeyPem() | Out-File -FilePath $privateKeyPath -Encoding ASCII } else { # Create the EC private key using the P-256 curve $ecKey = [System.Security.Cryptography.ECDsa]::Create([System.Security.Cryptography.ECCurve]::NamedCurves::nistP256) # Create the certificate request $request = New-Object System.Security.Cryptography.X509Certificates.CertificateRequest( $subject, $ecKey, [System.Security.Cryptography.HashAlgorithmName]::SHA256 ) # Export the private key to PEM format $ecKey.ExportECPrivateKeyPem() | Out-File -FilePath $privateKeyPath -Encoding ASCII } # Generate and format the CSR in PEM $csrPem = "-----BEGIN CERTIFICATE REQUEST-----`n" + [Convert]::ToBase64String($request.CreateSigningRequest(), [System.Base64FormattingOptions]::InsertLineBreaks) + "`n-----END CERTIFICATE REQUEST-----" $csrPem | Out-File -FilePath $csrPath -Encoding ASCII

  3. Navigate to the certificate files that were generated in the locations defined in the script (C:\temp\csr.pem and C:\temp\privateKey.pem) and save them to the following folder for later use.

    C:\ProgramData\ICONICS\pki\.

    When you install GENESIS version 11 as an upgrade and keep the data from the previous version in the ProgramData directory, the path to the certificate folder is C:\ProgramData\ICONICS\v11\pki\.

  4. Send the CSR file to the certificate authority for signing. The CA uses its private key to sign your CSR and generate an operational certificate (also known as the device certificate or public key). This process verifies the identity of your device within the network.

  5. Obtain and save the following certificate files from the CA:

    • Signed operational certificate

      This certificate includes your device’s public key, validated by the CA’s signature.

    • CA certificate

      The CA’s public key that is used to verify the authenticity of other certificates signed by the same CA.

  6. Copy the files obtained from the CA to the same folder as you used in step 3:

    C:\ProgramData\ICONICS\pki\ or C:\ProgramData\ICONICS\v11\pki\.

  7. Use the certificates in the configuration of the desired GENESIS component.