How to configure a custom SSL Certificate

Blog Post created by emiller on Dec 12, 2017

HTTPS has become the default configuration in the installation of PI Vision, and it is mandatory to use an SSL Certificate with HTTPS. These instructions guide on how to configure a custom certificate to use with PI Vision.

When you have a network Alias for the Web Server the default certificate generated with PI Web API will not know this Alias.

In a default installation of PI Vision, a certificate called "OSIsoft Self Signed Certificate" will be created with Subject Alternative Name (SAN) DNS Name = TSLatam-IIS1.LDC.int.


And also, by default, a binding on the PI Vision Web Site will be created:





In this example we are using an ALIAS called "Alias". This ALIAS was created on DNS server as a CNAME type, pointing to TSLatam-IIS1.LDC.int.


If the ALIAS is for the IP of the server the it would be an A type.




When accessing "https://Alias/PIVision" and importing it, the certificate error does not disappear!


The reason is that when you import the certificate on the client machine, it will import the certificate that is in the HTTPS Binding (on the PI Vision server), the "OSIsoft Self Signed Certificate" the one with DNS Name=TSLatam-IIS1.LDC.int that is different from the name "Alias".


If the name placed in the browser ("Alias") is not identical to the SAN, the certificate error occurs.


To fix this situation there are some options like using a 3rd party certificate provided by a certification entity, or creating a certificate with an Enterprise Certificate Authority, and this case that is creating a custom certificate.

1. Create a custom certificate

If you already have a 3rd party certificate installed, skip to step 2.


Creating a custom Self Signed Certificate can be done through a Powershell Command:






New-SelfSignedCertificate -DnsName 'Hostname', 'FQDN' -CertStoreLocation 'cert:Localmachine\My'





Then access the certificate in Certificate Manager for Local Machine with the shortcut: Run -> CERTLM.msc


Copy (do not move) from "Personal" the "Alias" certificate to the "Trusted Root Certification Authorities".


If you have a 3rd party certificate that is not installed, it should be imported to Personal and copied to Trusted Root Certification Authorities.




2. Create an HTTPS binding

Create an HTTPS binding with the certificate and Host Name = "Alias"




The name must match, placing the FQDN (Alias.LDC.int) in Host Name will not work.


So far the certificate problem will not appear in the user's browser, but it will still not be able to do searches in the PI and AF because the PI Web API is using the Sel-Signed certificate on the same port.


3. Configure the new certificate in the PI Web API

To change the PI Web API certificate just run the PI Web API Admin Utility:





You must also change this URL:



4. Change the "SearchServiceURL"

Change the "SearchServiceURL" in the Web Application to "Alias", which is inside Application Settings




All set! No need for an IISRESET.


5. Client machines certificates

Now when a client accesses PI Vision through "https://Alias/PIVision" you can install the suggested certificate that will work.


To install this certificate on other machines you can also export it, copying the .CER file to the client machine and run it on the machine.





And always install within "Trusted Root Certification Authorities".


For more Browsers settings please check KB01223 - Kerberos and Internet Browsers




By Lima, Wagner and Miller, Eduardo.