Create a security certificate for password encryption


 Product(s):Promis.e, Bentley Substation
 Version(s):08.11.13.xx
 Environment:N/A
 Area:Installation_Configuration
 Subarea:N/A

Background

Some organizations may set up a mechanism by which the setup.xml is distributed to all users in order to distribute a common setup configuration. Because each user’s machine will have a unique certificate installed by default, this mechanism will fail if passwords are stored in the file as is the case with SQL server authentication (as opposed to using Windows Authentication).

In order for SQL server authentication to work, the same certificate must be installed on each user’s machine, and the Setup.xml must be directed to use that certificate. This article describes how to obtain a certificate that can be installed on all machines.

Creating and distributing a security certificate is not necessary if using Windows Authentication on [[Setup]] or if the Setup.xml file is not going to be distributed.

Steps to Accomplish

Create the certificate

Makecert.exe is Microsoft’s tool for creating certificates. It is available through the Windows SDK.

To create a certificate that can be installed on multiple computers, follow this procedure:

  1. Run makecert.exe to create the certificate and private key file (at the prompt, enter a password for the private key or click None)

    MakeCert -r -n “CN=ExampleCertificate” -a sha256 -sky exchange -sr LocalMachine –sv ExampleCertificate.pvk ExampleCertificate.cer

  2. Run pvk2pfx.exe to create a .pfx file that can be imported into the certificate store. The .pfx file contains the certificate and private key.

    pvk2pfx -pvk ExampleCertificate.pvk -spc ExampleCertificate.cer -pfx ExampleCertificate.pfx

Install the Certificate

Install the .pfx file in the certificate store using the Microsoft Management Console plugin.

  1. Launch the Microsoft Management Console. Select Start > Run and enter mmc.exe.
  2. Select File > Add/Remove Snap-in
  3. Select Certificates from the available snap-ins and click the Add button.
  4. Select the Computer account option and click Next.
  5. Select the Local computer option and click Finish.
  6. Click OK on the Add or Remove Snap-ins dialog.
  7. On the Console dialog, expand Console Root > Trusted Root Certification Authorities > Certificates.
  8. Right-click Certificates and select All Tasks > Import.
  9. Click Next on the Certificate Import Wizard.
  10. Click Browse and select the .pfx file created in the previous procedure.
  11. Continue through the wizard to complete the import. Make sure the check box named “Mark this key as exportable. This will allow you to back up or transport your keys at a later time.” is not set. You don’t want users to be able to export the private key, and you already have the .pfx file.
  12. Back on the Console dialog with Console Root > Trusted Root Certification Authorities > Certificates highlighted, find the imported certificate. Right-click it and select Open.
  13. Select the Details tab on the resulting Certificate dialog.
  14. Select the Thumbprint field in the top pane.
  15. Select the contents of the bottom pane and press CTRL+C to copy it to the clipboard.

Set Setup.xml to use the certificate

  1. Open Setup.xml in a text editor such as Notepad. Setup.xml is located in the following path:

    [ [[5366|promis.e program data]] ]\Config\Setup.xml

    [ [[Program data folder - Substation|Substation program data]] ]\Config\Setup.xml

  2. Paste the Thumbprint value copied in the previous section over the Thumbprint value in the Setup.xml file. This value is highlighted below. The spaces in the pasted value can be removed, but this is not necessary.

    <Configuration using="ANSI-IEEE Default">
      <Log Enable="false" Prefix="@" Postfix="@" />
      <OEM Feature="0" />
      <Certificate thumbprint="D07B60E49E688709ED73D21D90A747519DBBBF5A" />
      <Config name="ANSI-IEEE Default">

  3. Save the Setup.xml file.
  4. Confirm that the configuration works by starting the software, opening the [[Setup]] dialog, using SQL server authentication, and clicking the Apply button. If the dialog says "Configuration saved" it is working.

Distribute the certificate and Setup.xml

  1. Install the certificate on each workstation by copying the .pfx file to the workstation and following steps 1 - 11 of the Install the Certificate procedure above.
  2. Rename the Setup.xml file on the workstation to Original_Setup.xml.  Setup.xml is located in the following path:

    [ [[5366|promis.e program data]] ]\Config\Setup.xml

    [ [[Program data folder - Substation|Substation program data]] ]\Config\Setup.xml

  3. Copy the Setup.xml file configured in the Set Setup.xml to use the certificate procedure above to the \Config folder of the workstation (where Original_Setup.xml resides).

See Also

[[Distributing the Setup configuration]]

[[Network Installation Guide]]

 Original Author:daveg, Matt_P