A couple years ago I helps setup a SSL certificate for a AX Supervisor, a product that is used as a web interface front end to a automation product called a JACE, usually. The software was installed on a Microsoft Server 2008 R2 system and was serving up the information through a B2B VPN and the other company, even though the traffic was “internal”, requested a SSL. No biggie I thought, I’ve installed SSLs many times. So I installed the certificate on the server but the AX software didn’t see it. I went into the software’s platform and into the Certificate Management section to import a certificate. It only accepted pem files so I converted my Windows certificate over but it didn’t like that either. So I started reading the only guide I could find on the subject titled “NiagaraAX SSL Connectivity Guide”. Ironically it has page after page of how a SSL works and how to generate a self signed certificate then export it out and import it onto all of the computers accessing the system but nothing on importing a existing certificate as a pem file. Long story short the way a AX Supervisor wants the pem is to have it include the key, the certificate, the intermediate certificate, and the root certificate in that order all in one file. So for the 9 people in the universe that will actually need to do this sometime in their life and can’t figure it out here is what I had to do.
First I downloaded the Windows 32 bit binaries of OpenSSL ( from https://slproweb.com/products/Win32OpenSSL.html ) and installed them. I copied my pfx file that I exported out of my server (with key/password) and put it in the same directory as openssl.exe (the bin folder usually). I opened up a command prompt, navigated to the bin directory, and ran the first command to get my private key:
openssl pkcs12 -in CertExport.pfx -nocerts -nodes -out key.pem
Then another command to export out my certificate:
openssl pkcs12 -in CertExport.pfx -nokeys -out cert.pem
I now needed my intermediate and root certificates which since I was using GoDaddy were downloadable from their site ( https://certs.godaddy.com/repository ). I imagine its the same for any other certificate authority. I created a new text file and first took the contents of the key.pem file (minus the headers keeping the begin and end tags) then followed it with the contents of my cert.pem file (again no headers) then, and this is important, followed those with the intermediate then the root. I saved this as MYFullCert.pem and that imported right in without a issue. I was then able to use that for both the Platform SSL certificate and for the Stations WebService certificate. Rebooted the server and everything looked good.
Note: This applies to a AX 3.7. I have found the certificate will not import into 3.8 using the same instructions. What does work however is importing it into 3.7 then exporting it out. The exported file appears to have a extra line added which does work on 3.8.
5 thoughts on “Adding a SSL Certificate to a Vykon AX Web Supervisor”
You just made my day much better. Never had to install a GoDaddy SSL on Tridium before and this is the first article I found that worked.
Glad I could help. I’ve personally had to refer back to the post at least 4 times since I wrote it. You’d think they would make it more “standard” and allow a simple import of a .pfx file like most other systems.
Thanks so much for this article. One question, with AX 3.8, is the extra line in the exported file that you refer to a blank line, static text, or is it different for every certificate? I don’t have a copy of 3.7 to work with, so trying to work out how to do this directly on 3.8. If I can manually append this additional line it sounds like that could work…?
Allegedly the same instructions should work. I had a co-worker follow my instructions on a 3.8 and he said it imported without any issues. My experience hasn’t been the same. Have you tried it on 3.8 just to see if you get any errors?