When you turn on SSL in Ignition, the web browser uses what is called a "self-signed" certificate. This gives you the encryption benefits of SSL, but not the identity validation, and it isn't a 'real' certificate. This is why a web browser will display nasty warnings to users that they shouldn't trust the website.
We are not able to ship a real certificate with Ignition because SSL certificates have to be purchased individually from a certificate authority, such as Verisign, GoDaddy, or Comodo.
This guide will show you how to purchase and install a real SSL certificate from a certificate authority and install it in Ignition. You'll need to be comfortable executing command-line programs in order to complete this guide. The examples in this guide assume a Windows environment, but the general procedure would be identical in Linux.
1. Install the JDK
There are some command-line tools you'll need to use to create a certificate request and to install your certificate. These tools come with the Java Development Kit (JDK). It is likely that you only have the Java Runtime Environment (JRE) installed. Go to http://java.oracle.com and click on Java SE. Download the Java SE 6 JDK and install it.
2. Open a Command Prompt
Open a command prompt (Start > Run > cmd) and change directory into your JDK tools directory.
cd C:\Program Files\Java\jdk1.6.0_24\bin
3. Create your Keystore
SSL certificates for Ignition are stored in a file called a keystore. You'll need to create your own keystore file with a certificate in it before you can purchase the SSL certificate.
a. Enter the Following Command:
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore C: \ssl.key
(you can put the file wherever you want for now but it should be called "ssl.key")
b. It will prompt you to enter a password. Use the password:
c. You will then be prompted for your "first and last name". Do not actually use your first and last name. This value must be one of these for your Ignition Gateway:
1. Fully Qualified Domain Name (e.g. "secure.yourdomain.com")
2. Public IP address (e.g. "188.8.131.52")
3. Full Server Name of your internal server (e.g. "scadaserver")
4. Private IP address (e.g. "192.168.0.1")
d. It will then prompt you for information about your company. Input all data accurately, as the certificate authority will need to verify this information.
e. Lastly, it will ask you for the password for alias
4. Generate a Certificate Signing Request
At this point, you have a keystore file named "ssl.key" at the root of your C:\ drive (or wherever you specified it to be in step 3a.
In your command prompt window, enter this command:
keytool -certreq -alias tomcat -file C:\csr.txt -keystore C:\ssl.key
It will prompt you for the keystore password (
ignition). You now have a certificate request file at
5. Buy the SSL Certificate
Now you need to get your SSL certificate signed by a certificate authority. When you go to a certificate authority (Verisign, GoDaddy, Comodo, etc), they'll ask for your CSR, which is the
csr. txtfile that you created in step 4. Typically they'll ask you to paste your CSR into their web form. Open
csr.txtin notepad, and copy-and-paste it into the certificate authority's form.
If prompted what software generated the CSR, choose Tomcat or Java.
After the certificate authority has processed your payment and reviewed your CSR, they will send you your certificate via email.
6. Install the SSL Certificate
After your SSL certificate has been emailed to you, you will want to follow the instructions provided for installing the certificate into a Java keystore. Your certificate authority will provide these instructions. The following is the procedure for installing a Comodo SSL certificate, provided as an example:
a. Extract the certificate files that were emailed to you, in this example they were extracted to
b. Install the root certificate with the following command:
keytool -import -trustcacerts -alias root -file C: \cert\AddTrustExternalCARoot.crt -keystore C:\ssl.key
c. Install the COMODO intermediate certificate:
keytool -import -trustcacerts -alias INTER -file C:\cert\COMODOHigh- AssuranceSecureServerCA.crt -keystore C:\ssl.key
d. Install your server's certificate:
keytool -import -trustcacerts -alias tomcat -file C:\cert\192_168_1_7. crt -keystore C:\ssl.key
7. Replace Ignition's Default Keystore
You now have a keystore file at
C:\ssl.keythat holds your SSL certificate. The certificate alias is "
tomcat" and the password is "
ignition". You can now replace the keystore file that ships with Ignition with your file. Make a backup of the file at
C:\Program Files\Inductive Automation\Ignition\tomcat\ssl.keyand replace it with your keystore file. You will need to restart the Ignition service after replacing this file.
Make sure your SSL port is allowed through your server's firewall. The default SSL port is 8043, and can be changed to the standard SSL port (443) through the Gateway Control Utilitiy (GCU).
If you have a redundant installation, you'll need to repeat this procedure on your backup server and buy a second certificate for it.