Process an X.509 Certificate

After you send an X.509 certificate request to a Certificate Authority (CA) and the CA has validated your request, you will receive a reply containing the certificate. To process this information, use the steps in this topic.

The certificate is generated in the certificate store for the signed in user. After processing the certificate reply, you must export the certificate and its private key from the user account's certificate store and import those into the local computer's certificate store using the Microsoft Management Console. You must have administrative rights to do so.

VTScada processes the reply by removing the request from the Current User's Certificate Requests store and placing the SSL certificate into the Current User's Personal Certificate store, binding it to the correct private key.
The CA's reply must be processed into the store of the computer on which the request was made, using the same user account.
After you've done so, you should back up the X.509 certificate and copy it to the computer for which the request was made.

The certificate response may be in a ZIP file containing your certificate and related information. If this is the case, extract the certificate to a temporary folder on your computer and open it using Notepad in order to continue with the steps. The content should include the lines,

--------BEGIN CERTIFICATE--------

and

--------END CERTIFICATE--------

 

1. Ensure that you are signed in to Windows with the same account you used to generate the request.
   Skipping this step is a common cause of failure.
2. Copy the CA's reply to the Windows clipboard by selecting the certificate including the "--------BEGIN CERTIFICATE--------" and "--------END CERTIFICATE--------" lines, and pressing Ctrl + C.
3. Open the SSL Certificate tab of the VTScada Thin Client/Server Setup dialog.
4. Click the Process Reply button.

5. Run the Microsoft Management Console (MMC) under the user account that VTScada will run in.
   1. From the File menu, add the Certificates snap-in for "My user account".
   2. In the tree on the left, expand "Certificates - Current User"
   3. Expand "Personal" and click "Certificates".
   4. In the right-hand pane you will see the certificate.
   5. Right-click on the certificate and from the "All Tasks" sub-menu, select "Export".
   6. Follow the Wizard, selecting to export the private key and to delete the private key if the export is successful.1 The private key must be exported with the certificate if the certificate is to be installed on another computer. It is good practice to keep a backup of the certificate with the private key.
   7. Complete the wizard, exporting the certificate to a *.PFX file.
   8. If the export is successful, right-click the certificate in the right-hand pane of MMC and select Delete to delete the certificate from the user account certificate store.
6. On the computer that is your VTScada Thin Client Server, run the Microsoft Management console.
   Note that you must be signed in as a user with local computer administrative rights. The process will not succeed otherwise.
   1. From the File menu, add the Certificates snap-in for "Computer account".
   2. In the tree on the left of the MMC, expand "Certificates (Local Computer) - Personal" then right-click on "Personal".
   3. From the "All Tasks" sub-menu, select "Import".
   4. Follow the wizard selecting the certificate file that you saved earlier.
7. Locate the newly added certificate in Personal\Certificates, right-click it and pick Manage Private Keys… from the All Tasks sub-menu.
8. Click Add and add the user account you will be running VTScada under to the security list, granting Read access.
9. Open the certificate by double-clicking.
10. Locate the Subject field of the certificate, noting the line: CN = YourServer.Name.Com.
11. Edit the VTScada SETUP.INI file as follows:
    In the [SYSTEM] section, add SSLCertName = YourServer.Name.Com where YourServer.Name.Com should be replaced by the actual text from your certificate.

If your certificate has a Friendly Name property, you must use the full text of that field.

Comments (if provided) must be on a following line, and must begin with a semi-colon.

12. Restart VTScada and configure a secure realm.

As an alternative to setting permissions to a specific user account in MMC, you can set them for a group, such as Domain Users.

VTScada will now be able to access the X.509 certificates and run HTTPS connections for VICs, after those are configured.

It is highly recommended that you use the Microsoft Management Console (MMC) to backup the certificate and private key. If the registry must be restored or is lost, the private key will be permanently lost as well. The key will be encrypted to protect it during the backup process; you will therefore be required to enter a password.