Issue
There is no information on how to create and prepare signed certificates for import in SBO. PEM file format has to be used. If another format is used or the certificate files are not correct, you get a message like this when importing.
Product Line
EcoStruxure Building Operation
Environment
Certificates
Cause
There is no information on how to create signed certificates in SBO
Resolution
- Complete a Certificate Request and then request a certificate in PEM format in a .pfx file "container".
- Extract the CA certificate, Intermediate certificate and private key using the following OpenSSL commands.
- After executing each command, enter the password if prompted.
- Make sure you reference the right pfx file. Below filename.pfx is used as an example
- Make sure you enter the commands manually and do not copy/paste from this article
- Download OpenSSL tool here
- openssl pkcs12 -in filename.pfx -out host.pem -nodes -clcerts -nokeys
- openssl pkcs12 -in filename.pfx -out inter.pem -nodes -cacerts -nokeys
- openssl pkcs12 -in filename.pfx -out privkey.prv -nodes -nocerts
- The three files produced must then be parsed of any characters that aren't in part of the certificate/key and in PEM format - basically all the characters before "-----Begin Certificate-----" or after "-----End Certificate-----". Make sure each file ends with a blank line, and that each section is separated by a blank line. This can be done in Notepad.
- Import the files in to SBO using the certificate manager in the Control panel.
File type conversion
If the host and intermediate certificate is in crt, cer or der format, you can convert them to pem format using the following method/command:
openssl x509 -outform der -in certificate.cer -out certificate.der
openssl x509 -inform der -in certificate.der -out certificate.pem
Replace "certificate.cer" with the name of your file
Determining certificate file type
To determine which filetype a given certificate file has (PEM, DER, or pkcs12/pfx), you can use the following commands (replace "cert.crt" with the name of your file). A valid output will confirm the file type.
PEM
openssl x509 -in cert.crt -text
DER
openssl x509 -in cert.crt -inform DER -text
pkcs12/pfx
openssl pkcs12 -in cert.crt -info