Skip to content
  • There are no suggestions because the search field is empty.

How to create your certificates signed by MIO Self-Signed Root CA

This article is for expired MIO Root CA certificate issue

Prerequisites:

1. OpenSSL running on Windows.

2. MIO Self-Signed Root CA which is created during Connect MOM installation. Default folder: C:\Program Files\Siemens\Opcenter Connect MOM\Certificate, in this folder, we should see file mio_root_ca.cer and mio_root_ca.pfx.

3. The passphrase of creating Certificate Authority during the installation, default passphrase: Passphrase.

 

Steps:

1. Open 'Win64 OpenSSL Command Prompt', change directory to 'C:\Program Files\Siemens\Opcenter Connect MOM\Certificate'.

Note: if there's an issue running scripts through OpenSSL, you may use cmd with administrator access.

1.1  Run cmd as an administrator then change directory to 'C:\Program Files\Siemens\Opcenter Connect MOM\Certificate'

2. Create a key file with command: 'openssl ecparam -out mioservice.key -name prime256v1 -genkey'

3. Create a custom config file and add the necessary information, below is a sample file.

mioservice.cnf:

[ req ]

default_md = sha256

prompt = no

req_extensions = req_ext

distinguished_name = req_distinguished_name

[ req_distinguished_name ]

commonName = MIO Services

countryName = US

stateOrProvinceName = Louisiana

localityName = Slidell

organizationName = Acme Inc.

[ req_ext ]

keyUsage=critical,digitalSignature,keyEncipherment

extendedKeyUsage=critical,serverAuth,clientAuth

subjectAltName = @alt_names

[ alt_names ]

IP.0 = 1.1.1.1

IP.1 = 2.2.2.2

DNS.0 = server1.example.com

DNS.1 = server2.example.com

email.0 = email1@example.com

email.1 = email2@example.com

 

4. Generate CSR with the command: 'openssl req -new -key mioservice.key -out mioservice.csr -config mioservice.cnf -extensions req_ext'

5. Run command 'openssl pkcs12 -in mio_root_ca.pfx -nocerts -out mio_root_ca.key' to get a key file. You will be asked to enter import password and PEM pass phrase in this step.

6. Generate the vertificate with the CSR and the key and sign it with MIO Self-Signed Root CA key. 'openssl x509 -req -in mioservice.csr -CA mio_root_ca.cer -CAkey mio_root_ca.key -CAcreateserial -out mioservice.cer -days 3650 -extensions req_ext -extfile mioservice.cnf', you will be asked to enter pass phrase for mio_root_ca.key in this step.

Import Password: Passphrase entered during Installation

PEM pass phrase: Passphrase

 

7. Validate certificate, "openssl x509 -in mioservice.cer -text -noout"

Script to use to create a PFX file of mioservice
 
> Run in Windows command or in Powershell
 openssl pkcs12 -export -out mioservice.pfx -inkey mioservice.key -in mioservice.cer -name "MIO Service"
 
> After performing the above script, run in powershell the SelectCertificate 
 
> Update Bindings in IIS 
 

Best practice to import PFX:

PFX contains the certificate, private key and root CA certificate, import PFX from IIS instead of installing with double-click.

 

 

Reference KBs:

https://support.sw.siemens.com/en-US/knowledge-base/PL8719346

https://support.sw.siemens.com/en-US/product/283547872/knowledge-base/PL8776016