Creating self signed certificates and signing program objects!

Tridium Niagara
1

Inside of workbench you can find the workbench options menu. Let’s check it out!

toolsmenu-options
toolsmenu-options567×135 7.26 KB

As you can see on the left nav tree, there are lots of workbench options you can play with. Today we will be looking at code signing though. Here you can see that my signing cert dropdown menu currently has “progobjsigner” selected. Yours will not have that option and will likely be blank. We will make one though!

toolsmenu-options-codesign1
toolsmenu-options-codesign1972×560 30.3 KB

Going back to the tools menu, we can see there is an option for Certificate Management. Notice: This will be in reference to your own platform and workbench.

toolsmenu-certmanager
toolsmenu-certmanager581×220 16.7 KB

I will use the AX version..

toolsmenu-ax-certmanager
toolsmenu-ax-certmanager557×127 8.33 KB

Here is what a good signing certificate should be represented in the User Key Store of your Certificate Management view.

certmanager-preview
certmanager-preview724×211 17.2 KB

Sadly, I will now delete my cert. But we will make another.

certmanager-preview-nocert
certmanager-preview-nocert608×180 12.9 KB

Certs, Certs and more Certs… and CA’s

Within the menu you will see New Cert as an option.

certmanager-newcert-CA
certmanager-newcert-CA712×639 57.6 KB

Info on Self-Signed Certificate Fields:

Alias:

  • The alias is a friendly name given to the certificate within a keystore, not part of the certificate’s subject.
  • It’s a way to identify the certificate within a specific keystore (like when using keytool or similar).

Subject Distinguished Name (DN):

The DN is used to identify the entity the certificate is issued to.

  • CN (Common Name):
    • The fully qualified domain name (FQDN) of the server (e.g., www.example.com).
    • Can also be a person’s name, server name, etc.
  • OU (Organizational Unit):
    • A department or division within the organization (e.g., IT Department, Sales).
  • O (Organization):
    • The legal name of the organization (e.g., Example Company).
  • L (Locality):
    • The city or location (e.g., Anytown).
    • ST (State or Province):
    • The state or province (e.g., California).
  • C (Country):
  • The two-letter country code (e.g., US, GB).

Certificate Settings/Extensions:

  • Key Size:
    • The length of the key used in the certificate’s public/private key pair.
    • Examples: 2048-bit RSA (common), 3072-bit RSA, 4096-bit RSA, or a suitable size for Elliptic Curve Cryptography (ECC).
    • Stronger encryption can result in slower performance but greater security.
  • Certificate Usage:
    • Specifies what the certificate can be used for.
    • Examples: Server authentication, client authentication, code signing, email signing.
  • Subject Alternative Name (SAN):
    • Allows additional host names, domain names, IP addresses, etc., to be associated with the certificate.
    • Often used for multibal-domain or wildcard certificates.
  • Key Usage:
    • Specifies the allowed operations of the key.
    • Examples: digitalSignature, keyEncipherment, dataEncipherment, certificateSigning.
  • Extended Key Usage:
    • Further specifies how the certificate’s key may be used
    • Examples: serverAuth, clientAuth, codeSigning, emailProtection.

Example:

For our example programobjsignerCA we are going to reuse some feilds. This is not a server certificate

  • Alias: progobjsignerCA
  • CN: progobjsignerCA
  • OU: Controls Department
  • O: Acme Corp
  • L: Iowa City

You will notice that there are some fields that are marked (required). We will use those but will omit some of the others.

I have highlighted some of the areas that I wanted to draw attention to. For the CA, here is what I put down.

selfsignedCA-preview
selfsignedCA-preview486×543 37.6 KB

Notice the “Not After” is out to the year 2070 :smiling_face_with_sunglasses:. You cannot get away with this outside of self signed :zany_face:.
I chose 4096 bits as I believe I read somewhere in workbench docs, maybe doc developer(?) to use this setting.
Key usage I left at default selections after the CA selection.

After choosing the OK button, you will see a password prompt. Go ahead and give it your super secret password

image-1
image-1498×373 30.8 KB

Yay! You should be prompted that the system is creating. Just accpet ok and move on.

ca-creation-prompt
ca-creation-prompt565×338 16.5 KB

Now we have the certificate, but you can see it is yellow. Not trusted.

ca-not-trusted-preview
ca-not-trusted-preview744×135 13 KB

We are now going to export this certificate and then import it back into the User Trust Store. So highligh the certificate and choose export. Make sure the “export private key” is selected.

Now you need to remember that super secret password from before and add it to the export here!

ca-not-trusted-preview-export
ca-not-trusted-preview-export705×624 47.9 KB

Once exported, we will need to import into that User Trust Store. Select that tab and then select the Import button below.

user-trust-import-ca
user-trust-import-ca891×611 50.6 KB

Select the new CA we just made and exported

ca-not-trusted-import-accept
ca-not-trusted-import-accept761×632 53.6 KB

Select OK and now you should see the green checkbox for the cert. :white_check_mark:

ca-trusted
ca-trusted617×185 13.5 KB

OK, so we have a CA. Now what

Back to User Key Store and create a new certificate. This time select Code Signing. You can basically leave the rest the same as the CA. Other than the Alias and CN, of course.

new-cert
new-cert857×650 70.7 KB

And you will need to add another super secret password here.

new-cert-pwd
new-cert-pwd453×436 35.3 KB

Certificate Signing Requests (CSR)

Find the recently created certificate (progobjsigner) and now we will select the Cert Request
Go ahead and select OK

new-cert
new-cert857×650 70.7 KB

Yay more passwords!

new-cert-pwd
new-cert-pwd453×436 35.3 KB

You will be prompted with a save prompt. Notice the file type here. Go ahead and save, if the location works for you. My path for this is in user home .certManagement. You can choose any location, but this is probably the best.

csr-save-prompt
csr-save-prompt613×434 19.3 KB

Time to sign the CSR with our shiny CA!

Go ahead and select the tools menu → Certificate Signer Tool.

tools-menu-signingtool
tools-menu-signingtool371×234 10.2 KB

Once selected you will get prompted for selecting the CSR. We will select our newly created progobjsigner.csr

cert-sign-select-csr
cert-sign-select-csr1121×438 53.6 KB

Notice here that the menu on the left - the actual prompt before I chose the file selector icon - already has the programsignerca selected.

Once you choose the file you will have another prompt, here is where you will add the password (private key) for the signing certificate (CA password). You can also notice that the Not After date might not match your original date. Here mine is 2 years. Its fine for me for the example, but you might want to bump that.

sign-cert-withca
sign-cert-withca510×627 36 KB

Once again, another prompt :zany_face:. Go ahead and save over the original. Maybe this isn’t the best approach, but it works.

Time for the magic

Go back to the User Key Store and select import.

signed-cert-import
signed-cert-import884×560 55.5 KB

Select OK on the preview of the certificate

signed-cert-import-review
signed-cert-import-review780×608 53.9 KB

I was prompted with a password entry because the store already contained the entry under that alias. So, enter the password or go back and delete it out of the keystore first and come back to import.

signed-cert-import-overwrite-password
signed-cert-import-overwrite-password1097×176 12.8 KB

And again, enter the private key password for the certificate. Last time, for this one :blush:.

signed-cert-import-privatekey-password
signed-cert-import-privatekey-password763×321 30.6 KB

You should now have that green checkmark :white_check_mark::white_check_mark:

signed-green
signed-green680×258 20.4 KB

Go sign some program objects!!

If you go back to the tools menu → options → code signing options. You should now have the option to use your new shiny cert!

toolsmenu-options-codesign-select
toolsmenu-options-codesign-select1068×773 62.3 KB

I believe that the next time you go to compile a program object, you might be prompted for the private key agin, but it will sign the program objects!

9 Likes
2

Great tutorial @Tappel!

2 Likes
3

This process worked flawlessly for me! Now I can go back and finish the Photocopier Guide by @Giantsbane, where I believe signed certificates are needed! Brilliant, thank you. I have two versions of Niagara4, one on line, one air gapped. I was not able to use this process on my off line (air gapped) version (it could have been operator error, but this could just be a limitation of being off line). Thank you guys for all you do here!

2 Likes
4

Someone give @ControlFreak a job already… If only all were as willing to upskill in their own time!

1 Like
5

So glad it helped! I know i was lost with certs and learning on my own was tough. This community is so very important.

1 Like
6

As a newbie, I can’t tell you how much this community has helped me…and that’s not even it’s mission! I feel like you guys are swimming in the Olympic Pool and you check back in on me here in the Kitty Pool! Gives me the warm fuzzies!

2 Likes
7

Trust me! We never stop swimming :sweat_smile:. I’m always learning something new…

2 Likes
8

We never stop swimming

Or drowning, depending on the day :rofl:

1 Like