Generate Root Certificates for Proficy Historian Server Manually (Not recommended)

About this task

This topic describes how to install root certificates and the certificates for core services, for use with the MTLS feature for Proficy Historian.
Note: This topic is applicable if you did not enable certificate-based security during the installation of Historian server. If you enabled certificate-based security during the installation, the root certificate and core services certificates are generated by default and stored at <Install directory>\Program Files\Proficy\Proficy Historian\MTLS folder.

MTLS Binaries

To support MTLS, the Historian install media includes the following files. These files are located in the MTLS folder in the Proficy Historian install folder:

  • CreateRootCertificate.exe
  • MTLSCertificatesInstall.exe
  • openssl.exe
  • legacy.dll
  • libcrypto-3-x64.dll
  • libssl-3-x64.dll
  • openssl.cnf

CreateRootCertificate.exe and MTLSCertificatesInstall.exe are the two command-line utilities for generating the certificates. The other binaries are the dependent components.

Location of MTLS Binaries

The following figure shows an example of the binaries folder for MTLS feature, when Proficy Historian 2024 is installed in “C” drive:

To generate root certificate, use the CreateRootCertificate.exe utility (in the MTLS folder in the Historian install folder) from a command prompt with Administrator privileges, as described in the following steps.

Procedure

  1. Right-click the Command Prompt, and select Run as Administrator.
  2. Navigate to the MTLS folder in the Historian installed path. For example: 
    cd C:\Program Files\Proficy\Proficy Historian\MTLS
  3. Run the CreateRootCertificate.exe command using the following arguments:
    Argument Description
    EnableMTLS Specifies whether MTLS is enabled. If you do not specify a value, MTLS feature is enabled by default (and set to 1 by default):

    • 0 – MTLS feature is disabled

    • 1 – MTLS feature is enabled

    For example, if you want to disable the certificate-based security, simply pass “0” to the tool.
    Password Specifies the word or phrase that you use to protect your certificate. The Password argument is mandatory, whereas Number of Days is optional. An example Passphrase is: P@55w0rd.
    The Number of Days

    Optional. Specifies the Number of Days for the root certificate to be valid. After the specified days, the certificate validity expires.

    If you do not pass any value for Number of Days, the setting defaults to 365 days. For example, if the Number of Days is 3650, the certificate is valid for 10 years from the generated date.

    Note:

    If you fail to pass any values to this command-line, the command will fail to create the root certificate.

    The following is an example of the command-line. In this example, MTLS is enabled, the passphrase is P@55w0rd, and the certificate will be valid for 3650 days (10 years):

    C:\Program Files\Proficy\Proficy Historian\MTLS CreateRootCertificate.exe 1 P@55w0rd 3650
  4. After executing CreateRootCertificate.exe, locate the root keys generated in the same MTLS folder:
    • ica_key.pfx – Password protected certificate that contains the private key to sign the core services certificates.
    • ica_key.cer – Root certificate contains the public and different attributes of the certificate.

      The following figure shows examples of the root certificates.

      After generating the root certificate, this certificate needs to be added to the “Trusted Root Certification Authorities” certificate store on the Local Machine.

Installing Certificates for Core Services

For generating certificates for core service, run the MTLSCertificatesInstall.exe utility from the command prompt with Administrator privileges.

Procedure

  1. Launch from the command prompt with Administrator privileges. For example: 
    C:\Program Files\Proficy\Proficy Historian\MTLS\MTLSCertificatesInstall.exe P@55w0rd 3650

    The MTLSCertificatesInstall.exe utility takes the following arguments:

    Argument Description
    Password Specifies the word or phrase that you use to protect your certificate. The Password argument is mandatory, whereas Number of Days is optional. An example Passphrase is: P@55w0rd.
    Note: The same Password used for creating the root certificate needs to be used here. This is so that the Password will be same while passing the argument between executables. The MTLSCertificateInstall.exe utility uses this password to open the root certificate private key (ica_key.pfx) and sign the core services certificates.
    The Number of Days

    Optional. Specifies the Number of Days for the root certificate to be valid. After the specified days, the certificate validity expires.

    If you do not pass any value for Number of Days, the setting defaults to 365 days. For example, if the Number of Days is 3650, the certificate is valid for 10 years from the generated date.

    For each service, two certificates will be generated as shown in the following figure:

  2. Double-click each service .cer file as shown in the following figure, and check whether each generated certificate has a valid root certificate chain.
  3. After all required certificates are generated, restart the core Historian services. Without valid certificates, core services cannot establish connections to each other.