Increasingly I am seeing the use of certificates by PI components to provide secure communication to a server I can see that Web-based PI components (PI Web API, PI Vision etc), like any other Web servers, require SSL (X.509) certificates so that the https protocol can be used with them. However it seems that some form of certificate is also used in other non-Web protocols such as:
- communication between AF clients (anything that uses AF SDK?) and AF Server
- communication between PI DA servers in a PI Collective
Is there a general guide to the use of certificates in the OSIsoft world? In particular I would like to understand the following:
- Are these latter examples also "SSL certificates" or something completely different?
- Does AF SDK communication with the PI DA server require a certificate? Is it the same one used by collective comms?
- Do PI-API (including WIS version) and PI-SDK (whether talking to PI DA or to AF Server) not require any certificates to be in place?
- Servers (PI DA, AF Server) seem to generate and install their own self-signed certificates, although this is transparent to the person installing (until it goes wrong). The intention I suppose is that a client can be certain it is connecting to a legitimate server. Can these self-signed certificates be replaced by ones generated by the user's own CA? Is there any benefit to doing that?
- Is there a complete list of OSIsoft server components that install and use certificates, and client components that require them?
- Under what circumstances can the self-signed certificates stop working? (For instance I got an error the other day when trying to install AF Server 2015 after a newer version had been installed and removed again - something about "Exception in OnStart: The service certificate is not provided. Specify a service certificate in ServiceCredentials").
- Can you supply any other useful information/tips related to certificates in PI, that I am too ignorant even to have thought of?