Browse FAQs

Data Center Expert | Working with SSL Certificates (Self-Signed, CSR, & CA Authority)

Published date: 08 May 2020

Issue
Working with self-signed and CA authority signed SSL certificates for the StruxureWare Data Center Expert appliance.

Product Line
StruxureWare Data Center Expert (DCE)
- Basic Appliance (AP9465)
- Standard Appliance (AP9470)
- Enterprise Appliance (AP9475)
- Virtual Appliance (AP94VMACT)
StruxureWare Central (SWC)
InfraStruXure Central (ISXC)

Environment
StruxureWare Data Center Expert (all versions)
StruxureWare Central (all versions)
InfraStruXure Central (all versions)

Resolution

Viewing Current SSL Certificate Information
Self-Signed Certificates
CA Signed Certificates (Internal CA or 3rd-Party)
 
NOTE: You must be logged into the Data Center Expert desktop client as a user with Server Administrator privileges to be able to manage server web certificates.
 
Viewing Current SSL Certificate Information
DCE Desktop Client > System menu > Server Administration Settings > Server Access > Web Server tab. 
- If the certificate is Self-Signed it will be issued by: Schneider Electric  /  APC by Schneider Electric
- If the certificate is issued by a CA Authority other than Schneider Electric, the certificate will have different Issued By information.
 

 
Working With Self-Signed Certificates

When Data Center Expert is deployed, the appliance utilizes a self-signed certificate.  Note: You may need to generate a new self-signed certificate to come up to 2048-bit encryption, if you upgraded from an older version before 2048-bit was the default.

Generating a New Self-Signed Certificate
1) Go to System > Server Administration Settings > Server Access.  On the Web Server tab, click Modify Certificate.
2) Select Create new Self-Signed Certificate.
3) Edit the certificate parameters as needed, and click Next.
Note: Country is limited to two alphabetical characters.
4) Click Finish to overwrite the default (or current) SSL certificate with a new, self-signed SSL certificate created by the server.  You can log on to the server again after it finishes rebooting.
 
 
Create a Certificate Signing Request (CSR) to Send to a Certificate Signing Authority (CA)
It is highly recommended for your Data Center Expert server to be updated to the most current version before managing.  Being updated will prevent a private key mismatch that will prevent the server from being able to be access via HTTP/HTTPS.
1) Go to System > Server Administration Settings > Server Access.  On the Web Server tab, click Modify Certificate.
2) Select Create Certificate Signing Request (CSR) and click Next.
3) Edit the certificate parameters as needed and click Next.
Note: Country is limited to two alphabetical characters.
Note: It is recommended to fill in all fields as some CA Authorities require all fields to process the CSR signing.
4) Copy the provided CSR text to a text file.
You can manually select the text and use Ctrl+C, or right-click anywhere in the text to use the Select All and Copy options, to copy the CSR text.
Note: Another CSR should not be created before a signed CSR is received back and Imported.  Creating another CSR will generate a new private-key which will invalidate all previous CSRs.
5) Submit the CSR to your desired CA Authority (3rd-party or internal) for signing.  You will receive back a signed SSL certificate, which may include a certificate chain (root cert, intermediary certs, & signed SSL certificate for DCE)
 
 
Verifying the Certificate Format is Correct

1) Open the certificate in a plain-text notepad editor.
2a) If the file begins with "-----BEGIN CERTIFICATE-----", it is in the proper base-64 encoded format.  Proceed to the determining if there is a certificate chain section below.
2b) If the file does not being with "-----BEGIN CERTIFICATE-----", then the file is in an unsupported DER binary format and needs to be converted.
3) Double-click on the certificate within Windows Explorer.  This should launch a certificate details screen.
4) Go to the Details tab and click the Copy to File... button, then click Next.
5) Select Base-64 encoded X.509 (.CER) and click Next.
6) Click Browse... and provide the location and a name for the certificate file then click Save.
7) Click Next and then Finish.  The certificate should now be saved in the location you provided with the name you provided, and be in the correct format for import.  Proceed below to determining if you have a certificate chain.
 

Determining if a Certificate Chain is being used
1) Open the provided SSL Certificate (base-64 encoded format) in a notepad editor.
2) If there is only ONE section that has "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" skip to step X.
3) Go to System menu > Server Administration Settings > Server SSL Certificates.
4) Import all certificates from the certificate chain EXCEPT the first one, which should be the signed SSL certificate intended for the server itself.  Click on Add... and paste in the Second section including the opening tag "-----BEGIN CERTIFICATE-----" and closing tag "-----END CERTIFICATE-----".  Click Add.
Note: You can not import multiple certificates at once into the Server SSL Certificates Screen and must follow the steps above for each of the remaining certificates (excluding the first one).
 
 
Adding the Signed Server SSL Certificate into DCE

1) Go to System > Server Administration Settings > Server Access.  On the Web Server tab, click Modify Certificate.
2) Select Add Certificate and click Next.
3) Use Ctrl+V to paste a copy of the certificate in the text box.  If there was only ONE certificate as determined above, you can use the Import Certificate to import the certificate from its text file, and click Next.
4) Click Finish to overwrite the current SSL certificate with the new SSL certificate.  You can log on to the server again after it finishes rebooting.

Was this helpful?

What can we do to improve the information ?

Can't find what you are looking for?

Reach out to our customer care team to receive information on technical support, assistance for complaints and more.