CSense Certificate Manager CLI (cmcli)
The Certificate Manager Command Line Interface (cmcli) is a command line utility that is installed as part of the CSense product and can be used to repair or update the OPC UA Client Application Instance Certificate issued by CSense.
Overview
OPC UA specifies that all client applications require an Application Instance Certificate. The Application Instance Certificate is used to establish a secure connection to the server when an OPC UA client connects to an OPC UA server.
During installation, CSense creates its own self signed Application Instance Certificate and a Private Key that is protected with a strong password. By default, the generated certificate is valid for 10 years from the date of installation.
Use the Certificate Manager Command Line Interface to:
- Update or set the password on an existing CSense Application Instance Certificate
- Issue a new CSense Application Instance Certificate and set the password on the certificate
NOTE: This utility is only needed when there are reasons to repair or replace the OPC UA Client Application Instance Certificate.
CSense Application Instance Certificates
CSense Application Instance Certificates
The CSense Application Instance Certificate and private key can be found in the following folder:
%PROGRAMDATA%\Proficy CSense\OPCUA\pkiclient\own
Using the Certificate Manager Command Line Interface
The utility has two modes of operation, the first mode is used to generate new certificates and replace the current certificates that are configured for the CSense applications.
The second mode of the utility will only update the password that CSense uses to protect the private key. Each mode is described in more detail in the next sections.
The syntax for using the Certificate Manager Command Line Interface is as follow:
> cmcli.exe COMMAND [/duration <value>] [/password <value>]
NOTE: The Certificate Manager Command Line Utility must be run as an Administrator.
Certificate Manager Command Line Interface Reference
COMMAND: generate
The generate command will generate a new Application Instance Certificate and Private Key file and replace the existing certificate used by CSense.
The following arguments can be specified if the COMMAND is specified as generate:
Argument | Default | Description |
/duration | 10 Years | The duration in whole years that the certificate must be valid. The default value is used if this argument is omitted. |
/password | Random String | The password that must be used to protect the private key. The /password argument has the following behavior:
|
COMMAND: set
The set command can be used to update CSense to use new password for an existing certificate.
In this mode the utility will not generate a new certificate and will only update CSense to use the specified password when loading the Application Instance Certificate and Private key located at:
%PROGRAMDATA%\Proficy CSense\OPCUA\pkiclient\own\certs\csense.der
%PROGRAMDATA%\Proficy CSense\OPCUA\pkiclient\own\certs\csense.pem
For this mode it is the responsibility of the user to update the files specified and that the password specified matches the password for the private key file.
The following arguments can be specified if the COMMAND is specified as set:
Argument | Default | Description |
/password | None | The private key file password The /password argument has the following behavior:
|
Examples
This section shows usage examples for using the utility from the command line
Calling cmcli with no arguments
The following example shows the output of the cmcli if no arguments are specified:
C:\Program Files (x86)\Proficy\Proficy CSense> cmcli.exe
CSense Certificate Manager Command Line Interface
Syntax:
cmcli COMMAND [/duration <value>] [/password <value>]
Where:
COMMAND Command to execute: 'generate' or 'set'
/duration Time in years that the certificate must be valid.
Applies to: generate
Default: 10
/password Password for the new certificate key.
Applies to: generate, set
Generating a new Application Instance Certificate with a duration of 5 years
In the following example the value of the password is not set thus the password is prompted.
C:\Program Files (x86)\Proficy\Proficy CSense> cmcli.exe generate /duration 5 /password
CSense Certificate Manager Command Line Interface
Enter new password> ******************
Repeat new password> ******************
Certificates successfully updated.
Set the password for an existing certificate on the command line
In the following example the value of the password is not set thus the password is prompted.
C:\Program Files (x86)\Proficy\Proficy CSense> cmcli.exe set /password "Secure Password @1!"
CSense Certificate Manager Command Line Interface
Certificate password was successfully set.