CSense Certificate Manager CLI (cmcli)

The Certificate Manager Command Line Interface (cmcli) is a command line utility that is installed as part of the CSense product and can be used to repair or update the OPC UA Client Application Instance Certificate issued by CSense.

Overview

OPC UA specifies that all client applications require an Application Instance Certificate. The Application Instance Certificate is used to establish a secure connection to the server when an OPC UA client connects to an OPC UA server.

During installation, CSense creates its own self signed Application Instance Certificate and a Private Key that is protected with a strong password. By default, the generated certificate is valid for 10 years from the date of installation.

Use the Certificate Manager Command Line Interface to:

  • Update or set the password on an existing CSense Application Instance Certificate
  • Issue a new CSense Application Instance Certificate and set the password on the certificate

NOTE: This utility is only needed when there are reasons to repair or replace the OPC UA Client Application Instance Certificate.

CSense Application Instance Certificates

CSense Application Instance Certificates

The CSense Application Instance Certificate and private key can be found in the following folder:

%PROGRAMDATA%\Proficy CSense\OPCUA\pkiclient\own

Using the Certificate Manager Command Line Interface

The utility has two modes of operation, the first mode is used to generate new certificates and replace the current certificates that are configured for the CSense applications.

The second mode of the utility will only update the password that CSense uses to protect the private key. Each mode is described in more detail in the next sections.

The syntax for using the Certificate Manager Command Line Interface is as follow:

> cmcli.exe COMMAND [/duration <value>] [/password <value>]

NOTE: The Certificate Manager Command Line Utility must be run as an Administrator.

Certificate Manager Command Line Interface Reference

COMMAND: generate

The generate command will generate a new Application Instance Certificate and Private Key file and replace the existing certificate used by CSense.

The following arguments can be specified if the COMMAND is specified as generate:

Argument Default Description
/duration 10 Years The duration in whole years that the certificate must be valid. The default value is used if this argument is omitted.
/password Random String The password that must be used to protect the private key.
The /password argument has the following behavior:
  • If the /password argument is not specified, a random password will be generated for the private key.
  • If the /password argument is specified without a value, the utility will prompt the user for a password using a secure prompt.
  • If the /password argument is specified with a value, the value will be used to protect the private key.
  • To specify an empty password for the private key one must use the second option, providing the /password argument without a value. This will trigger the secure prompt where an empty password can be specified. Using an empty password is not recommended.

COMMAND: set

The set command can be used to update CSense to use new password for an existing certificate.

In this mode the utility will not generate a new certificate and will only update CSense to use the specified password when loading the Application Instance Certificate and Private key located at:

%PROGRAMDATA%\Proficy CSense\OPCUA\pkiclient\own\certs\csense.der
%PROGRAMDATA%\Proficy CSense\OPCUA\pkiclient\own\certs\csense.pem

For this mode it is the responsibility of the user to update the files specified and that the password specified matches the password for the private key file.

The following arguments can be specified if the COMMAND is specified as set:

Argument Default Description
/password None The private key file password
The /password argument has the following behavior:
  • If the /password argument is not specified or specified without a value, the utility will prompt the user for a password using a secure prompt.
  • If the /password argument is specified with a value, the value will be set for CSense to use.
  • If the private key file uses an empty password one must use the first option, providing the /password argument without a value. This will trigger the secure prompt where an empty password can be entered. Using an empty password is not recommended.

Examples

This section shows usage examples for using the utility from the command line

Calling cmcli with no arguments

The following example shows the output of the cmcli if no arguments are specified:

C:\Program Files (x86)\Proficy\Proficy CSense> cmcli.exe
CSense Certificate Manager Command Line Interface
Syntax:
    cmcli COMMAND [/duration <value>] [/password <value>]
Where:
  COMMAND       Command to execute: 'generate' or 'set'
  /duration     Time in years that the certificate must be valid.
                Applies to: generate
                Default: 10
  /password     Password for the new certificate key.
                Applies to: generate, set

Generating a new Application Instance Certificate with a duration of 5 years

In the following example the value of the password is not set thus the password is prompted.

C:\Program Files (x86)\Proficy\Proficy CSense> cmcli.exe generate /duration 5 /password
CSense Certificate Manager Command Line Interface
Enter new password> ******************
Repeat new password> ******************
Certificates successfully updated.

Set the password for an existing certificate on the command line

In the following example the value of the password is not set thus the password is prompted.

C:\Program Files (x86)\Proficy\Proficy CSense> cmcli.exe set /password "Secure Password @1!"
CSense Certificate Manager Command Line Interface
Certificate password was successfully set.

 

  

CSense 2023- Last updated: June 24,2025