Skip to main content

Set API certificate:

This article will show you how to set an auto-signed certificate or your own signed certificate to your OpCon Rest. You'll find three scenarios :

1. Generate a new self-signed certificate if no certificate found.

2. Generate a new self-signed certificate if the existing certificate is expired.

3. Set your own signed certificate.

 

1. No certificate found:

In some cases the OpCon API is not reachable because the certificate is not find by the API, in this case you may only have to apply this procedure to allow the API to use it own auto-generated self-signed certificate :

 1. Stop the RestAPI service: SMA OpCon RestAPI

 2. Open a command prompt as Administrator

 3. Navigate to the SAM folder (for installation on the system drive C:\Program Files\OpConxps\SAM)

 4. Run the following command SMAOpConRestApi.Controllers.exe -setcertificate (for older version replace

SMAOpConRestApi.Controllers.exe by SMAOpConRestApi.OwinService)

 5. Verify the process completed successfully, the log file SMAOpConRestApi.log should tell you :

23/12/2020 11:48:40.338  Logging is set up...

23/12/2020 11:48:40.339  Configuration read successfully...

23/12/2020 11:48:40.822  Certificate created successfully.

 6. Start the SMA OpCon RestAPI service

 7. Open a browser and navigate to https:// machinename]:tTLSPort]/api/version and verify that the version information returns successfully.

 

2. Existing certificate is expired:

The certificate auto-generated by the OpCon API is valid for two years, so it can expire, for this reason or another you could have to replace the existing/old certificate by a new auto-generated self-signed certificate :

 1. Stop the RestAPI service: SMA OpCon RestAPI

 2. Open the configuration file SMAOpConRestAPI.ini

 3. Remove the value on the line CertificateSerialNumber=

 4. Open a command prompt as Administrator

 5. Navigate to the SAM folder (for installation on the system drive C:\Program Files\OpConxps\SAM)

 6. Run the following command SMAOpConRestApi.Controllers.exe -setcertificate (for older version replace

SMAOpConRestApi.Controllers.exe by SMAOpConRestApi.OwinService)

 7. Verify the process completed successfully, the log file SMAOpConRestApi.log should tell you :

23/12/2020 11:48:40.338  Logging is set up...

23/12/2020 11:48:40.339  Configuration read successfully...

23/12/2020 11:48:40.822  Certificate created successfully.

 8. Start the SMA OpCon RestAPI service

 9. Open a browser and navigate to https://smachinename]:ÂTLSPort]/api/version and verify that the version information returns successfully.

 10. You can go on your application Manage Computer Certificates and delete the old self-signed certificate.

 

3. Set own signed certificate:

Here you will see how to set your own signed certificate (which must be registered in the Personal certificate store) to the OpCon API :

 1. Stop the RestAPI service: SMA OpCon RestAPI

 2. Go to ..\OpConxps\SAM and open the SMAOpConRestApi.ini file. (C:\ProgramData\OpConxps\SAM for installation on the system drive)

 If you are running OpCon version 20.0 and higher ignore steps 3. and 4.

3. Make sure UseTLS=true.

4. Make sure PortForTLS has a valid port number.

5. At the line CertificateSerialNumber=, insert the custom certificate serial number value of your own certificate.

6. Save and close the configuration file.

7. Open the command prompt as administrator.

8. Navigate to the SAM folder (for installation on the system drive C:\Program Files\OpConxps\SAM)

9. Input the following, port number and certificate thumbprint

netsh http delete sslcert ipport=0.0.0.0:<port>

netsh http add sslcert ipport=0.0.0.0:<port> certhash=<certificate thumbprint> appid={1664a5b8-3de3-460a-86da-f27ed83a139a}

10. Run the following command SMAOpConRestApi.Controllers.exe -setcertificate (for older version replace

SMAOpConRestApi.Controllers.exe by SMAOpConRestApi.OwinService)

11. Go to ..\OpConxps\SAM\Log and retrieve the SMAOpConRestApi.log file to get the results of the command.

12. Start the SMA OpCon RestAPI service

13. Open a browser and navigate to https://Amachinename]:ITLSPort]/api/version and verify that the version information returns successfully, and you don't have a warning on your certificate validity

 

Warning :

  • In some cases, the step 10 of the paragraph 3. is not required, so you can go through all the steps and jump from 9 to 11 and the certificate will be added to the OpCon API.
  • It is not mentioned in the OpCon documentation, signed certificate for the OpCon API need to contain a private key or the command SMAOpConRestApi.Controllers.exe -setcertificate and the API will reject your certificate.
  • Preferred format: PFX/P12/PKCS#12.
  • Please ensure that your certificate is registered in the "Trusted Root Certification Authorities" and "personal" store.

For the 10th step of "Set your own signed certificate", if you get a "the parameter is incorrect" error, you can try adding simple quotes for the appid: 

netsh http add sslcert ipport=0.0.0.0:<port> certhash=<certificate thumbprint> appid='{1664a5b8-3de3-460a-86da-f27ed83a139a}'.

 

If you have an error "SSL Certificate add failed, Error : 1312 - A specified logon session does not exist. It may already have been terminated".

The certificate is most likely not in the correct location, you need to import it into the local machine certificate store (certlm.msc).

Reply


Terms & ConditionsCookie settings