Roger Palmen

Manually Managing SSL Certificates

Blog Post created by Roger Palmen on Sep 8, 2020

If you follow the OSIsoft installation guides, SSL certificates for PI Vision, PI Web API etc. require installation or changing through the OSIsoft installer for the Program. However, i find the certificate validation checks to be too restrictive in nearly all cases, so i find myself resorting to manual changes to the certificates. Especially since certificates will have a validity of 1 year max nowadays.

So i thought let's create a detailed blogpost to explain how to change SSL certificates for HTTPS traffic. In most of my cases i only need this for PI Vision, PI Web API and PI Integrator for BA, but this should be fairly generic.

 

The problem

For many reasons a valid SSL certificate might not be passing the validity checks done by the OSIsoft installer, leaving no option to install or change the certificate using the documented procedure.

 

Manual Installation

Manual installation of the certificate is an easy way to install or change SSL certificates. The SSL Certificate is bound to a specific TCP Port. The instructions below assume all applications (e.g. PI Vision and PI Web API) use the same port TCP.443 for encrypted traffic.

 

Step 1: Check current SSL binding

Open a command-line or powershell session and run

netsh http show sslcert

This should show the certificates with a binding to 0.0.0.0:443:

 

Step 2: Install the new certificate

First you need the certificate (typically a .pfx or .p12 file) including the private key, and the password.

Typically you can right-click -> Install PFX to install the certificate into the Windows Certificate Store. Key things: 

  1. Store location should be Local Machine
  2. Mark key as exportable

You can have the store selected automatically.

You should now be able to locate the certificate in the Certificate Manager:

  • Open mmc.exe
  • Add/Remove snap-in "Certificates"" choose "Computer Account" for local computer
  • Locate the certificate in Personal:

Double-click to view the details and locate the thumbprint:

 

Step 3: Remove binding to old certificate

On your command line (see step 1), remove the old certificate:

netsh http delete sslcer ipport=0.0.0.0:443

 

Step 4: Add binding to new certificate

On your command line (see step 1), add the new certificate:

netsh http add sslcer ipport=0.0.0.0:443 certhash=<hash> appid={<id>}

Where <hash> is the thumbprint from step 2 and <id> is the application ID you see in step 1. The application ID does not have a real function, except for referencing the application that is tied to this. As an alternative you can use any valid application ID, like 00000000-0000-0000-0000-000000000000. (8-4-4-4-12 zeros)

 

 

Step 5: Remove old certificate

Not really nessecary, but it does not hurt to use Certificate Manager to remove the old certificate. 

 

You should now be able to see the correct certificate issued to your webbrowser. Check using the lock icon on the URL.

 

Sources

Orginally stemmed from this post: PI Web API SSL Certificate: certificate failed basic validation policy 

In a different context this basically follows the same procedure: https://pisquare.osisoft.com/message/65167?commentID=65167#comment-65167 

Outcomes