Internet Explorer also offers functionality to deal with certificates provided by web services. PI Web API communication is based on https meaning that a certificate is used to secure communication. A PI Web API client needs to have the certificate, used by a particular PI Web API instance, installed to the Trusted Root Certificate Authorities Store.
It is not Chrome nor Internet Explorer generating the certificate but these clients allow to download a certificate and to store it to disk where it might be that different formats can be chosen.
Thanks. So if my only client is ie11 and it doesn't allow certificates to be exported, can this be done directly from the mmc snap-in?
It is difficult to understand what your problem is about if you do not describe it. Is it possibly that IE doesn't browse PI Web API at all? If so, please try adding your PI Web API host to the trusted sites. If it loads now, the page may look like this:
You proceed with Continue to this website (not recommended). Well even IE doesn't recommend this is the way to proceed but please only do this if you trust the page. The next screen looks similar to this.
You click on the Certificate error showing in the title.
Now you proceed with View certificates
You should now be able to Install Certificate ...
It is possible that your experience differs from what the screenshots are showing. In such case a brief internet research usually returns as well useful results. Sorry, but this is IE behavior and nothing specific to PI Web API.
What should work independent from what browser you are using pure Certificate snap-in functionality:
- On the PI Web API host, open the Certificate snap-in for the local computer.
- Under Trusted Root Certification Authorities, browse Certificates for your PI Web API self-signed (or other) certificate. If you don't know the name, use OSIsoft.REST.Admin.exe to look it up.
- Click the thumbprint to bring up the certificate details, note the name and look it up in Certificates mmc snap-in
- Right-click the certificate -> All Tasks -> Export ... and follow the wizard instructions to Export the certificate (see screenshots)
Well, you've launched the export for a good reason. I really don't know what the second (default) option is for. Let's select Yes, ..
I am assuming you are logged on with a domain user as I am and you will use the same domain user to import the certificate into the clients store.
Now, pick up the certificate file, copy it over to the client and use the Certificate mmc snap-in to import the certificate to the Trusted Root Certification Authorities store.
It's also possible to roll out the certificate to clients via domain policy.
All this is Windows nothing PI Web API specific.
1 of 1 people found this helpful
oops... the method above is for exporting a certificate with it's private key. A SSL private key should only very rarely ever need to leave the protected web server.
For instance setup of a load balanced server is a common scenario where a certificate with private key is needed. Similarly, IT might want to be sure they can rebuild the web server from scratch so that would be a case for keeping a certificate exported with its private key in a safe place.
Browsers accessing a web server protected by a SSL certificate will attempt to validate the server's certificate during the connection handshake. Of course public certificate authorities automatically trusted by the browser and/or operating system aren't able to vouch for a self-signed certificate so the browser raises a certificate error.
IE's Certificate Invalid popup allows you to view and install the certificate received from the web server.
Thank you both for your help.
The system is working fine.