Alternate method using XCA certificate and key management

As an alternative method of creating self-signed certificates, you can use the XCA Certificate and Key Management tool to create self-signed certificates for the IEE application server and the Service Mode server.

Go to https://sourceforge.net/projects/xca to download the XCA Certificate and Key Management application. With this tool installed, you can create and maintain a personal or centralized department database for various systems.

Creating certificates for the IEE and Service Mode servers

Important! Perform the following procedure for each IEE application server and Service Mode server.

  1. Open the XCA Certificate and Key Management application. Select the Certificates tab and click New Certificate.

    Certificates tab and location of the New Certificate option.

  2. Select the Subject tab and enter an Internal name and a commonName. These names should match. In the following example, ITRON-DEMO_IEE_APServer is used in both fields. Click Generate a new key.

    Certificate and key management dialog.

  3. The New Key dialog shows the name you entered in the previous step. Keep the default Keytype and Keysize values and click Create.

    New key dialog.

  4. A confirmation message appears. Click OK.

    Certificate and key managment confirmation message

  5. Select the Extensions tab. Under Time range, specify the length of time that the certificate will be valid. For example, for the certificate to expire exactly fifteen years from today at the end of that day, enter 15 in the box, select Years from the dropdown menu, and select the Midnight checkbox. Click Apply.

    Location of the extensions tab.

  6. At the X509v3 Subject Alternative Name line, click Edit.

  7. Click Add and select DNS from the Type dropdown menu.

    Location of add button.

  8. Under Content, enter the application server Name as a fully qualified domain name (FQDN), or use a domain wildcard, as in the following example, if all applications servers reside in the same domain. For multiple server DNS names, click Add to create new lines as needed. Click Validate.

    Location of the validation button.

  9. A confirmation message appears. Click OK.

    Validation successful message.

  10. Click Apply.

    Location of apply button.

  11. Select the Key usage tab and make the following selections:

    Select X509v3 Key Usage

    • Digital Signature

    • Key Encipherment

    Select X509v3 Extended Key Usage

    • TLS Web Server Authentication

    • TLS Web Client Authentication

      Options to select on the Key usage tab.

  12. Select the Advanced tab. Review the summary and click OK if correct.

    Advanced tab in the certificate and key management.

  13. A confirmation message appears. Click OK.

    Successfully created certificate message.

  14. Repeat these steps for the Service Mode server. For identification purposes, be sure to indicate Service Mode in the Internal name and commonName (for example, SM_SS_Server).

Exporting the certificates and key files

To transfer the certificate and key information onto the IEE application server and Service Mode server, you must export the .p12 and .cer files.

Important! Perform the following procedure for each IEE application server and Service Mode server.

  1. Open the XCA Certificate and Key Management application. Select the Certificates tab, select a certificate created in the previous procedure, and click Export.

    Export option on the certificates tab.

  2. From the Export Format dropdown menu, select PKCS #12 (*.p12) and click OK.

    Certificate export in the certificate and key management dialog.

  3. Enter a password for secure key transfer and click OK.

    Location of password box.

  4. On the Certificates tab, select the same certificate that you selected in step 1 and click Export.

    Export tab on the certificate and key management dialog.

  5. From the Export Format dropdown menu, select DER (*.cer). Note the path shown in the Filename field and click OK.

    File name on the export tab in the certificate and key management dialog.

  6. Using the path shown above, navigate to the Filename location to view the certificate and keyfiles. Copy the .cer files and the .p12 files to your IEE environment.

    Filename location path.

  7. Repeat these steps for the Service Mode server certificate.

Importing the certificates and key files

On the IEE application server, the app server keyfile (.p12 file) must be imported to the Personal store and the Trusted Root Certification Authority store.

Note: This procedure applies to the IEE application server only.

  1. From the Windows Start menu, run MMC to open IIS Certificate Management. Select File > Add/Remove Snap-in.

    Location of the add and remove option.

  2. Under Available snap-ins, select Certificates and click Add.

    Add or remove snap in.

  3. A dialog appears. Select Computer account and click Next.

    Computer account selected on the dialog.

  4. Click Finish.

    Finish button on the dialog.

  5. Under the Personal store, right-click Certificates and select All Tasks > Import.

    Location of import option under all tasks.

  6. The Certificate Import Wizard appears. Follow the prompts to import the .p12 file that was exported in Exporting the certificates and key files. This should be the key for the IEE application server certificate only.