Adding Certificates to PI
One of the things that has been coming up more often is SSL communication. We have been dealing with third party companies and internal departments requiring communication via SSL.
A couple of things to remember when trying to get SSL working.
- Ensure that the SSL certificate you are importing has the full certificate chain contained inside of it. If it does not you can go to the public CA and import their certificates in order to get the certificate working.
- For FTPs PI 7.1 can only use Explicit Encryption! You will need to work with your third party vendor to have their FTPs server setup to use Implicit Encryption for your connection.
I put together the below document for our Basis team on adding certificates to PI.
- Log into NWA
- Go to Configuration Management -> Security -> Certificates and Keys
- Select the TrustedCAs, then click import entry.
- Select the certificate type
- Browse out to the certificate and click import
- If the certificate does not have the fully chain in it and it’s a public cert, grab a cert for the CA and install it as well
- Public CA for IndustrySafe
- Industry safe cert
- In the below section you can check to see if the certificate was imported successfully.
Very Interesting.. Do you know if "Implicit Encryption" is available in 7.3?
We are still in the process of testing 7.3 for upgrading our PI environment and as far as I can tell it is not.
Thanks for the documentation, we have a vendor who is using self signed certificate and wants us to import their certificate into our PI system. Which certificate should I import (Base/Intermitent/Root) into my system.
Also as mentioned in you document import the "full certificate chain contained inside of it.",
so what exactly you mean by "full certificate chain contained inside of it.".
1 more thing is, can we make this certificate available in communication channel in Integration builder. I believe only private keys are visible in communication channel.
Certificates have Expiry date. Does it mean we will need to reimport new ones before old one expires?
Also could you point me what to look for to reimport those from the sites with some kind of script when the source sites get updated with new certificates?