Self-Signed Certificate

Self-signed certificates do not require the certificate to be validated by an authority, or for the controller to be accessible over the internet. They can also be created for free. However, self-signed certificates are not considered secure by web browsers, which will generate warnings whenever the web interface is accessed. This method is fine for testing and development but is not recommended for live sites.

Requirements for Self-Signed Certificates

  • There is no requirement for the controller to be externally accessible.
  • The operator must manually renew the certificate whenever it expires.

Generating a Self-Signed Certificate with OpenSSL

The following instructions will use the free OpenSSL utility. The latest version of OpenSSL for Windows can be downloaded from this page.

  1. Download and install the OpenSSL utility.
  2. Navigate to the installation directory, open the bin folder, locate the openssl executable and run it as an administrator. This will open the OpenSSL command prompt.

  3. To generate your certificate, enter the following command:

    req -new -newkey rsa:2048 -x509 -sha256 -subj "/C=[Country code]/CN=[Common name]" -days 365 -out [name].crt -keyout [name].key

    • Replace [name] with your desired filenames

    • The country code is optional, but recommended best practice. You can find your country code here.

    • The common name is typically in the form [hostname].[domain name]. For a self-signed certificate this does not need to be an externally accessible hostname. For example, you could use secure.controller.com.

    This generates a new key pair (.crt certificate and .key private key) with 2048-bit encryption that will expire after 365 days. The files should appear in the current OpenSSL directory.

  4. Enter a passphrase for the private key. This is a phrase used to encrypt the private key to protect it against anyone with access to your local system. It will be required whenever the private key is used.

    Note that passphrase characters will not be displayed in the console. Only alphanumeric characters are supported for the passphrase.

  5. Enter your location and identity information as requested. These details will be incorporated into your certificate and publicly viewable from the web browser.

    Ensure that the Common Name is the same as the Domain Name which is being used for the controller, if any.

  6. To export your certificate, enter the following command, replacing [name] with your desired filename:

    pkcs12 -export -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -nomac -out [name].pfx -inkey [name].key -in [name].crt

    Always include the -certpbe, -keypbe and -nomac arguments so that the certificate is encrypted in a way that the controller can interpret. This does not affect the encryption of the HTTPS connection.

  7. Enter the passphrase assigned above when prompted.

  8. Create an export password when prompted. This will be required when installing the certificate on the controller.

    This process will generate a [name].pfx file in the current OpenSSL directory. This is your self-signed certificate. Store this file in a safe, known location.

Installing the Self-Signed Certificate to the Controller

  1. Access the controller's web interface by typing its IP address into the address bar of a web browser, then log in with your username and password.
  2. Navigate to the System Settings.
  3. In the General tab, select the Use HTTPS checkbox (if not already enabled).
  4. Enter an appropriate HTTPS Port. The default is port 443, which is commonly used for this purpose. You should retain the default port unless you are required to use another port by your system administrator.

  5. Click Install Certificate and browse to the .pfx certificate file to install it on the controller.

    No .txt validation file is required for this method, as the connection is not validated by a third party.

  6. Enter the export password that you created when generating the certificate file.
  7. Click Save, then restart the controller using the button on the top right to implement the new settings.

    8. Once the restart process is complete, the controller will restart but the web page will not automatically refresh.

  8. Browse to the controller web page by adding the prefix https:// to the beginning of the IP address or URL.

When using a self-signed certificate, you will likely be presented with a security warning if you attempt to access the HTTPS web page. The connection is still encrypted, but the browser has flagged the certificate as untrustworthy as it lacks third-party validation.