Create a self-signed SSL/TLS certificate
To open the FactoryTalk Updater application in a browser, you must use Transport Layer
Security (TLS) 1.2 or later. Rockwell Automation recommends using a certificate signed by a
certificate authority (CA). You can create a self-signed certificate on the FactoryTalk Updater
Server.
To open the
FactoryTalk
Updater application in a
browser, you must use Transport Layer Security (TLS) 1.2 or later. Rockwell Automation
recommends that you disable TLS 1.0 and TLS 1.1 in the system. Rockwell Automation
also
recommends using a certificate signed by your organization's internal certificate authority
(CA) or a commercial certificate authority. Alternatively, you can create a self-signed
certificate on the FactoryTalk
Updater server.- Follow these steps to create a self-signed certificate:
- On theFactoryTalkUpdater server computer, run the following PowerShell command to create a self-signed certificate:New-SelfSignedCertificate -FriendlyName EXAMPLE_CERT_NAME -DnsName EXAMPLE_FULL_COMPUTER_NAME -KeyUsage DigitalSignatureReplaceEXAMPLE_CERT_NAMEwith the name that should appear in theServer Certificateslist in Internet Information Services (IIS). For example, use the name "FactoryTalk Updater".ReplaceEXAMPLE_FULL_COMPUTER_NAMEwith the fully qualified domain name of the server. For example, use the name4sk2h63.example.com.
- Open theInternet Information Services (IIS) Managerapplication.
- SelectServer Certificates.
- In theServer Certificateswindow, verify that the self-signed certificate is visible in the list.
- (optional) If you have a CA certificate, right-click inServer Certificates, then:
- If you have a PFX file containing the certificate (public keys) and the corresponding private keys, selectImport.
- If you have a file from a CA containing the CA's response (such as a CER file), selectComplete Certificate Request.
- In theConnectionslist, right-click the UpdaterWebServer certificate and selectEdit Bindings.
- In theSite Bindingsdialog, select thehttpsbinding and selectEdit.
- In theEdit Site Bindingdialog, in theSSL certificatemenu, select the certificate and selectOK.
- In theConnectionslist, right-click the certificate and selectManage Website > Restart.
- Follow these steps to export the self-signed certificate as a PFX file:
- On theFactoryTalkUpdater Server computer, open theInternet Information Services (IIS) Managerapplication.
- SelectServer Certificates.
- In theServer Certificateswindow, identify the self-signed certificate, then write down or copy itsCertificate Hashvalue. This value will be used in the following steps.
- Open PowerShell, then run the following command to create a password for the PFX file:$mypwd = ConvertTo-SecureString -String 'EXAMPLE_PASSWORD' -Force -AsPlainTextReplaceEXAMPLE_PASSWORDwith the password that will secure the self-signed certificate.
- In the same PowerShell window, run the following command to export the self-signed certificate as a PFX file:$cert = Get-ChildItem -Path Cert:\LocalMachine\My\EXAMPLE_CERTIFICATE_HASH | Export-PfxCertificate -FilePath C:\mypfx.pfx -Password $mypwdReplaceEXAMPLE_CERTIFICATE_HASHwith the Certificate Hash value identified in previous steps. For example, the value might beca7e070c4448bc7ae47db59b65e39e8199edae08.ReplaceC:\mypfx.pfxwith the file path for the new self-signed PFX file.
- Follow these steps to import the self-signed PFX file onFactoryTalkUpdater Client computers:
- Copy the PFX file created in the previous steps to theFactoryTalkUpdater Client computer.
- Double-click the PFX file. TheCertificate Import Wizardappears.
- ForStore Location, selectLocal Machineand selectNext.
- Verify that the certificate file name appears in theFile namebox and selectNext.
- SelectPlace all certificates in the following storeand selectBrowseto open theSelect Certificate Storedialog.
- Enter the password that you set for the certificate and selectNext.
- Select theTrusted Root Certification Authoritiesfolder and selectOK.
- SelectNext.
- SelectFinish.
Provide Feedback