Skip to main content

Set OpCon API Certificate

Set API certificate

This article will show you how to set an auto-signed certificate or your own signed certificate to your OpCon Rest. You'll find three scenarios:

  1. Generate a new self-signed certificate if no certificate found.
  2. Generate a new self-signed certificate if the existing certificate is expired.
  3. Set your own signed certificate.

1. No certificate found

In some cases the OpCon API is not reachable because the certificate is not find by the API, in this case you may only have to apply this procedure to allow the API to use it own auto-generated self-signed certificate :

  1. Stop the RestAPI service: SMA OpCon RestAPI
  2. Open a command prompt as Administrator
  3. Navigate to the SAM folder (for installation on the system drive C:\Program Files\OpConxps\SAM)
  4. Run the following command SMAOpConRestApi.Controllers.exe -setcertificate (for older version replace SMAOpConRestApi.Controllers.exe with SMAOpConRestApi.OwinService)
  5. Verify the process completed successfully, the log file SMAOpConRestApi.log should tell you:
23/12/2020 11:48:40.338  Logging is set up...
23/12/2020 11:48:40.339  Configuration read successfully...
23/12/2020 11:48:40.822  Certificate created successfully.
  1. Start the SMA OpCon RestAPI service
  2. Open a browser and navigate to https://[machinename]:[TLSPort]/api/version and verify that the version information returns successfully.

2. Existing certificate is expired

The certificate auto-generated by the OpCon API is valid for two years, so it can expire, for this reason or another you could have to replace the existing/old certificate by a new auto-generated self-signed certificate:

  1. Stop the RestAPI service: SMA OpCon RestAPI
  2. Open the configuration file SMAOpConRestAPI.ini
  3. Remove the value on the line CertificateSerialNumber=
  4. Open a command prompt as Administrator
  5. Navigate to the SAM folder (for installation on the system drive C:\Program Files\OpConxps\SAM)
  6. Run the following command SMAOpConRestApi.Controllers.exe -setcertificate (for older version replace SMAOpConRestApi.Controllers.exe with SMAOpConRestApi.OwinService)
  7. Verify the process completed successfully, the log file SMAOpConRestApi.log should tell you:
23/12/2020 11:48:40.338  Logging is set up...
23/12/2020 11:48:40.339  Configuration read successfully...
23/12/2020 11:48:40.822  Certificate created successfully.
  1. Start the SMA OpCon RestAPI service
  2. Open a browser and navigate to https://[machinename]:[TLSPort]/api/version and verify that the version information returns successfully.
  3. You can go on your application Manage Computer Certificates and delete the old self-signed certificate.

3. Set own signed certificate

Here you will see how to set your own signed certificate (which must be registered in the Personal certificate store) to the OpCon API:

  1. Stop the RestAPI service: SMA OpCon RestAPI
  2. Go to ..\OpConxps\SAM and open the SMAOpConRestApi.ini file. (C:\ProgramData\OpConxps\SAM for installation on the system drive)

If you are running OpCon version 20.0 and higher ignore steps 3. and 4.

  1. Make sure UseTLS=true.
  2. Make sure PortForTLS has a valid port number.
  3. At the line CertificateSerialNumber=, insert the custom certificate serial number value of your own certificate
  4. Save and close the configuration file.
  5. Open the command prompt as administrator.
  6. Navigate to the SAM folder (for installation on the system drive C:\Program Files\OpConxps\SAM)
  7. Input the following, port number and certificate thumbprint netsh http delete sslcert ipport=0.0.0.0:<port>netsh http add sslcert ipport=0.0.0.0:<port> certhash=<certificate thumbprint> appid={1664a5b8-3de3-460a-86da-f27ed83a139a}
  8. Run the following command SMAOpConRestApi.Controllers.exe -setcertificate (for older version replace SMAOpConRestApi.Controllers.exe with SMAOpConRestApi.OwinService)
  9. Go to ..\OpConxps\SAM\Log and retrieve the SMAOpConRestApi.log file to get the results of the command. 12. Start the SMA OpCon RestAPI service
  10. Open a browser and navigate to https://[machinename]:[TLSPort]/api/version and verify that the version information returns successfully, and you don't have a warning on your certificate validity
danger

In some cases, the step 10 of the paragraph 3. is not required, so you can go through all the steps and jump from 9 to 11 and the certificate will be added to the OpCon API.

It is not mentioned in the OpCon documentation, signed certificate for the OpCon API need to contain a private key or the command SMAOpConRestApi.Controllers.exe -setcertificate and the API will reject your certificate.

Preferred format : PFX/P12/PKCS#12.

Please ensure that your certificate is registered in the "Trusted Root Certification Authorities" and "personal" store.