After SSL is enabled, all Clients, Designers, and web browsers are redirected to the SSL port if they try to use the standard HTTP port. By default, the SSL port is 8043. You can change it here to another port like the standard SSL port of 443. If you are using a firewall, make sure to open the appropriate ports.
Ignition supports using SSL communications to the Gateway Webpage as well as Client/Designer communication with the Gateway. It is highly recommended that you purchase an SSL certificate from a certificate authority if you turn this feature on. The procedures for how to install a genuine SSL Certificate are below.
When you turn on SSL in Ignition, the web browser uses what is called a "self-signed" certificate. This gives you the encryption benefits of SSL, but not the identity validation, and it isn't a "real" certificate. This is why a web browser will display nasty warnings to users that they shouldn't trust the website.
We are not able to ship a real certificate with Ignition because security certificates have to be obtained individually from a Certificate Authority (CA). Ignition supports certificates from both your organization's internal CA, as well as commercial CAs (Verisign, GoDaddy, Comodo, etc). In either case, the procedure for how to install a certificate is listed below.
After you have added an SSL certificate, the keystore will automatically refresh every 15 minutes. You can disable this in the ignition.conf file by altering the ignition.ssl.refresh entry (Set to 0 to not refresh).
Since SSL/TLS requires the installation of an SSL certificate, filling out the form below will generate a certificate signing request (CSR) to provide to a certificate authority. It is the first step required in getting an SSL certificate from a trusted Certificate Authority (CA), which is why details such as Organization and Location are being collected.
Fill in the required fields on the screen, then click the Generate Certificate Signing Request button. This can be brought to a Certificate Authority.
Full DNS name (required). This is typically what you type in your browser URL bar in order to navigate to this gateway, for example: yourdomain.com
|Organization Name||Name of company (required). For example: Inductive Automation.|
|Organization Department||Department or section (required). For example: Engineering.|
|Email address. For example: email@example.com.|
|Country||Typically an ISO 3166 2 character code (required). For example: US.|
|State / Province|
State, province or region, for example: California.
|Locality (City)||Name of city. For example: Folsom|
|Street||Street number and street name. For example: 90 Parkshore Dr|
|Postal Code||Postal Code Example: 95630|
The algorithm of the key pair which will be generated for the self signed certificate. Options are RSA or EC. Recommended: RSA
The strength of the generated Key. Recommended: 2048 bits
|Expires in||The number of days the generated Certificate will be valid. Only applies to the self-signed certificate.|
|Subject Alternative Names|
|IP Addresses||The IP addresses of all the servers you plan on installing the certificate. Click the Add button for each additional IP address.|
|DNS Names||DNS names which map to the list of IP addresses above.Click the Add button for each additional IP address.|
Once you have an SSL certificate, it needs to be added to Ignition.
The next step is to import the server certificate. This is the The DER or PEM encoded X.509 SSL Certificate that Ignition will use for SSL / TLS. Drag and drop the certificate file, browse for it, or manually enter the data.
The next step is to import the certificate chain. This gives you the Intermediate CA Certificate. Drag and drop the certificate file or bundle, browse for it, or manually enter the data.
You'll see a message that the Intermediate CA Certificate was successfully uploaded.
Finally, import the root CA certificate: Drag and drop the certificate file, browse for it, or manually enter the data. You'll see a message that the Root CA Certificate was successfully uploaded.
Why does the description for the previous certificate, the intermediate one, change to say Root certificate now? - This is a question for Dev., probably a bug. The text is a duplicate of the step 4 too.This is a bug. Alex Lu submitted FB14677 for it.
Click the Continue button.
You'll see a confirmation message that the certificate is installed and SSL/TLS is enabled.