Preparing and importing a signed CA certificate

Issue

There is no information on how to create and prepare signed certificates for import in SBO. PEM file format has to be used. If another format is used or the certificate files are not correct, you get a message like this when importing SAXParseException: Reference to invalid character number in line X column Y

Product Line

EcoStruxure Building Operation

Environment

Certificates

Cause

There is no information on how to create signed certificates in SBO

Resolution

Make sure that when preparing the pfx file that the full chain of trust is included in the pfx file. You have various options when preparing a pfx certificate export file and the private keys and chain of trust are options that must be selected. Otherwise, you won't extract the intermediate certificate or the private key if not included.

Complete a Certificate Request and then request a certificate in PEM format in a .pfx file "container".
Extract the CA certificate, Intermediate certificate, and private key using the following OpenSSL commands.
- After executing each command, enter the password if prompted.
- Make sure you reference the right pfx file. Below filename.pfx is used as an example
- Make sure you enter the commands manually and do not copy/paste from this article
Download OpenSSL tool here
- openssl pkcs12 -in filename.pfx -out host.pem -nodes -clcerts -nokeys
- openssl pkcs12 -in filename.pfx -out inter.pem -nodes -cacerts -nokeys
- openssl pkcs12 -in filename.pfx -out privkey.prv -nodes -nocerts
The three files produced must then be parsed of any characters that aren't in part of the certificate/key and in PEM format - basically all the characters before "-----Begin Certificate-----" or after "-----End Certificate-----". Make sure each file ends with a blank line, and that each section is separated by a blank line. This can be done in Notepad.
Import the files in to SBO using the certificate manager in the Control panel.

File type conversion

If the host and intermediate certificate is in crt, cer or der format, you can convert them to pem format using the following method/command:

openssl x509 -outform der -in certificate.cer -out certificate.der
openssl x509 -inform der -in certificate.der -out certificate.pem

Replace "certificate.cer" with the name of your file

Determining certificate file type

To determine which filetype a given certificate file has (PEM, DER, or pkcs12/pfx), you can use the following commands (replace "cert.crt" with the name of your file). A valid output will confirm the file type.

PEM
openssl x509 -in cert.crt -text

DER
openssl x509 -in cert.crt -inform DER -text

pkcs12/pfx
openssl pkcs12 -in cert.crt -info

Preparing and importing a signed CA certificate