5 Replies Latest reply on Mar 27, 2016 8:16 AM by VCampus-METCO

    Self Signed Certificates export/import PI-WEBAPI 2015 R3



      When using self-signed certificates the webapi tutorial within PI Square suggests that to prevent in Chrome the URL generating a certificate error message each time it is accessed, the certificate can be exported then reimported back in as a trusted certificate.


      The example shown uses Chrome to do this. However the ability to export the certificate is not possible if using IE11, which is what I have to use because Chrome is not permitted within my environment.


      Is it valid to just go into the certificate snap-in and to manually move the certificate from where the WebAPI Installer creates the certificate into the "Trusted Root Certification Authorities" path? Or is there some other way to do the equivalent of what is possible in Chrome? I see for example that you can do an export in MMC to a file then reimport it, but the certificate format is not the same as generated from Chrome.

        • Re: Self Signed Certificates export/import PI-WEBAPI 2015 R3

          Hello Simon,


          Internet Explorer also offers functionality to deal with certificates provided by web services. PI Web API communication is based on https meaning that a certificate is used to secure communication. A PI Web API client needs to have the certificate, used by a particular PI Web API instance, installed to the Trusted Root Certificate Authorities Store.

          It is not Chrome nor Internet Explorer generating the certificate but these clients allow to download a certificate and to store it to disk where it might be that different formats can be chosen.

            • Re: Self Signed Certificates export/import PI-WEBAPI 2015 R3



              Thanks. So if my only client is ie11 and it doesn't allow certificates to be exported, can this be done directly from the mmc snap-in?

                • Re: Self Signed Certificates export/import PI-WEBAPI 2015 R3

                  Hi Simon,


                  It is difficult to understand what your problem is about if you do not describe it. Is it possibly that IE doesn't browse PI Web API at all? If so, please try adding your PI Web API host to the trusted sites. If it loads now, the page may look like this:

                  You proceed with Continue to this website (not recommended). Well even IE doesn't recommend this is the way to proceed but please only do this if you trust the page. The next screen looks similar to this.

                  You click on the Certificate error showing in the title.

                  Now you proceed with View certificates

                  You should now be able to Install Certificate ...

                  It is possible that your experience differs from what the screenshots are showing. In such case a brief internet research usually returns as well useful results. Sorry, but this is IE behavior and nothing specific to PI Web API.


                  What should work independent from what browser you are using pure Certificate snap-in functionality:

                  - On the PI Web API host, open the Certificate snap-in for the local computer.

                  - Under Trusted Root Certification Authorities, browse Certificates for your PI Web API self-signed (or other) certificate. If you don't know the name, use OSIsoft.REST.Admin.exe to look it up.

                  - Click the thumbprint to bring up the certificate details, note the name and look it up in Certificates mmc snap-in

                  - Right-click the certificate -> All Tasks -> Export ... and follow the wizard instructions to Export the certificate (see screenshots)

                  Well, you've launched the export for a good reason. I really don't know what the second (default) option is for. Let's select Yes, ..

                  I am assuming you are logged on with a domain user as I am and you will use the same domain user to import the certificate into the clients store.

                  Now, pick up the certificate file, copy it over to the client and use the Certificate mmc snap-in to import the certificate to the Trusted Root Certification Authorities store.

                  It's also possible to roll out the certificate to clients via domain policy.


                  All this is Windows nothing PI Web API specific.

                    • Re: Self Signed Certificates export/import PI-WEBAPI 2015 R3
                      Bryan Owen

                      oops... the method above is for exporting a certificate with it's private key.  A SSL private key should only very rarely ever need to leave the protected web server.


                      For instance setup of a load balanced server is a common scenario where a certificate with private key is needed.  Similarly, IT might want to be sure they can rebuild the web server from scratch so that would be a case for keeping a certificate exported with its private key in a safe place.


                      Browsers accessing a web server protected by a SSL certificate will attempt to validate the server's certificate during the connection handshake.  Of course public certificate authorities automatically trusted by the browser and/or operating system aren't able to vouch for a self-signed certificate so the browser raises a certificate error.



                      IE's Certificate Invalid popup allows you to view and install the certificate received from the web server.

                      1 of 1 people found this helpful