Add a Device Certificate
A device certificate (or SSL certificate) is a digital certificate that provides proof of the device's identity (Manufacturing Connect Edge instance). A device certificate for your Manufacturing Connect Edge instance is not required as the connection is already secured with an automatically generated self-signed certificate. Refer to the Self-Signed Certificates and Device Certificates sections in Certificates for more information.
Refer to the image and descriptions below to review the process of adding an SSL certificate to Manufacturing Connect Edge (MCEdge) or Manufacturing Connect (MC).
- Step 1: You will need to request an SSL certificate from your IT team.
- Step 2: Your IT team will make a request for the SSL certificate from a certificate authority (CA) (for example, DigiCert).
- Step 3: The CA will return the following to your IT team.
- The root CA certificate file
- Any required intermediate certificates
- The SSL certificate file
- Step 4: The IT team will send you the following.
- The root certificate file
- Any required intermediate certificates
- The SSL certificate file
- The private key file
- Step 5: You will apply the following in either Manufacturing Connect Edge (see steps below) or Manufacturing Connect (see SSL Settings).
- The CA chain file (root CA file and all intermediate certificates)
- The SSL certificate
- The private key file
You can add a device certificate by navigating to System > Certificates.
Before you complete the steps below, make sure you do the following.
- Verify you have admin credentials for Manufacturing Connect Edge.
- Have access to a Linux system.
- Verify that the the certificate you upload is an Nginx certificate.
- Submit the Certificate Signing Request in Manufacturing Connect Edge to a certificate authority and subsequently receive the device certificate with all required parameters (CA Chain and Private Key). See Manage Certificate Signing Requests for details.
- Confirm with your IT department if you require a custom CA certificate to be uploaded to Manufacturing Connect Edge before you add a device certificate. If you need to upload a custom CA certificate, see Add a Custom CA Certificate for details.
You will first need to create a backup of your device in case you need to recover its configuration settings.
Follow the steps to Back Up a Device.
You will need to collect the following parameters to create the device certificate.
- SSL Certificate: The public key certificate associated with the device certificate. You will receive the SSL certificate from the certificate authority after submitting the Manufacturing Connect Edge certificate signing request.
- CA Chain: The certificate authority's chain of certificates that validates the device certificate's public and private keys. When validating this parameter, make sure it includes all intermediate certificate authorities.
- Private Key: The private key certificate associated with the device certificate. You will receive the private key from the certificate authority after submitting the Manufacturing Connect Edge certificate signing request. To successfully submit the private key, ensure the following:
- The private key is an RSA private key. If the private key is not RSA, you will need to convert it using openssl. You can use the following command: openssl rsa -in <old_file_name> -out <new_file>.
- The private key is not encrypted. If the private key is encrypted, follow up with your IT department to decrypt it.
The steps below are an example to generate certificates locally. You can obtain them from your organization’s IT department.
Note: This action must be performed in a Linux system outside Manufacturing Connect Edge.
To generate key certificates:
- Log in to a Linux system.
- Enter the following command: docker run --name servercerts -v /Users/Projects/docs/data/certificates/cert:/certs -e CA_EXPIRE=365 -e SSL_EXPIRE=365 -e SSL_KEY=server-key.pem -e SSL_CERT=server-cert.pem -e SSL_CSR=server.csr -e SSL_SUBJECT=localhost paulczar/omgwtfssl
- Open the private key file in an editor of your choice to check if the key file is RSA. The first line should look like this: -----BEGIN RSA PRIVATE KEY----
You will now need to add the device certificate in Manufacturing Connect Edge.
To add a device certificate:
- Navigate to System > Network.
- Click the Certificate tab.
From the Device Certificates section, click the Add icon. The Add Certificates dialog box appears.
- For SSL Certificate, CA Chain, and Private Key fields, do one of the following:
Click the Upload icon and select the certificate/key file.
Upload icon- Paste the certificate/key into the field.
- Click Submit.
The final step is to restart the system and verify the certificate appears in the Certificates pane.
To restart the system:
- From the Certificates pane, navigate to System > Device Management. The Device Management pane appears.
- From the Manage section, click Reboot. The system reboots.
- Once the system has restarted, log in and navigate to System > Certificates. Verify the certificate appears in the Certificates pane.