Both PI Web API and PI Vision require an SSL certificate upon installation. The default installation will create a self-signed certificate, but users will see an ugly certificate error when navigating to it. Users can click through these errors, but configuring it in this way is bad practice. If your website is configured correctly, then these errors indicate a potential man-in-the-middle attack. You want your users to alert you if they see these errors, not click through them on a daily basis.
The simplest way to get a secure certificate that provides the best user experience within your corporate network is to use your Enterprise Certificate Authority to generate it. Users will see a nice, green padlock:
In this post, I'll walk you through setting this up. I'll assume you have obtained the following:
- A Server with PI Vision or PI Web API installed, or to be installed. This server will be referred to from now on as the PI Web Server
- A Domain account that is a Local Administrator on the PI Web Server
- A Domain Administrator on standby, in case changes need to be made (see later steps for details)
- Permission from your IT department for using Active Directory Certificate Services automatic enrolment in order to obtain certificates for your PI System production environment.
- On the PI Web Server, log in using a domain account that is a member of the Local Administrators group.
- Click Start.
- In the Search programs and files box, type mmc.exe, and press ENTER.
- On the File menu, click Add/Remove Snap-in.
- In the list of available snap-ins, click Certificates, and then click Add.
- Click Computer account, and click Next.
- Click Local computer, and click Finish.
- Click OK.
- In the console tree, double-click Certificates (Local Computer), and then double-click Personal.
- Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Enrollment wizard.
- Click Next.
- Click Next.
- Try to find the Web Server template. If you do not see it like in the below screenshot, click cancel, go down to the Appendix 1 part of this article and follow the directions there, then come back and follow on again from step 9.
- Select the Web Server template. Click the warning icon below More information is required to enroll for this certificate. Click here to configure these settings.
- In the Subject name area under Type, click Common Name.
- In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add.
- In the Alternative name area under Type, click DNS.
- In the Alternative name area under Value, enter the fully qualified domain name of the PI Web Server, and then click Add.
- In the Alternative name area under Value, enter the machine name of the PI Web Server, and then click Add.
- Repeat the previous step for any other alternative name you would like users to use when navigating to the web application. Appropriate DNS entries will also need to be created, but this is beyond the scope of this article.
- Click OK.
- Click Enroll.
- Click Finish.
- Click Certificates then double click on your new certificate. On the Details tab, under Subject Alternative Name the names you entered above should be present.
- Install your software on your PI Web Server, be it PI Web API or PI Vision. If you've already installed the software, click Start, navigate to the PI Web API Admin Utility and follow the wizard to change your current self-signed certificate to your newly created certificate.
Appendix 1: If the Web Server Template is unavailable
- On the Certificate Authority Server (which is usually the domain controller), log in as a Domain Administrator or CA Administrator.
- On the CA computer, click Start, type certtmpl.msc, and then press ENTER.
- In the contents pane, right-click the Web Server template, and then click Properties.
- Click the Security tab.
- We need to add the computer account for the PI Vision server to this template, and give it Enroll permission. For detailed directions, follow the screenshot below and the directions underneath.
- Click Add...
- Click Object Types...
- Ensure Computers is checked.
- Click OK.
- Type the name of your PI Web Server into the object names box. In the example in the screenshot, the machine name for the server is MASTERWEB.
- Click Check Names and ensure that you find the account (the name should underline)
- Click OK
- Check the Enroll box under Allow with your PI Vision Server computer account selected
- Click OK
After following the above steps, go back to your PI Vision Server and continue the original steps.
Comments or corrections welcome. If you've got any questions, feel free to post them and we'll discuss!