MappView Client: SSL certificate for https connection

Hi,

We need to perform a secure https connection with TLS certificate to connect to a MappView Client.
By following what is described in the Automation Help (GUID: f83f9b82-60fe-4f7c-b101-504cb81ffc44) (certificates generated with Automation Studio) we were able to manage the certificate and connect to the MappView server via https.

The problem is that if we have a dynamic URI of the mappView server (we give the user the possibility to change the IP address of the APC3100 ETH port) we are unable to manage the certificates.
While creating the certificate with AS we cannot understand how to associate the DNS Name(s) and IP_Addresses(es) fields with the URI (it isn’t well described in your AS Help).

SO, HOW CAN WE CREATE OR IMPORT A MULTI-DOMAIN SSL CERTIFICATE STORED IN ONE PROJECT?

Thanks.

Hello Martin,

The AS help Guid that you shared in your message is pointing to the libraries ArCert and ArSsl to perform configuration changes at runtime.

To be honest, I have not tried myself but if I had to do it myself I would probably try to use the FB ArCertGenerateX() from the ArCert library. It has both the DNS name and IP that you want to change during runtime.

I guess that you might want to use the same certificate name so you do not have to change your AS configuration. In that case I would delete your “default” certificate first using the ArCertDeleteOwn() and after that create the new one with the updated information.

As mentioned in the help, the change is not effective immediately so you probably are going to need a warm restart before the changes take place.

Maybe there is another “better” way to do it, I do not know. But at least I hope that this can give you some idea on how that might be possible.

Best regards,
Roger

2 Likes

Hello Martin,

I’ve been thinking of your question for a bit, and I don’t think you need to be as dynamic as your question asks. You indicate that you allow the user to change the IP address of the APC3100, do you extend that to the hostname of the APC3100?

I’ll try to explain how the answer changes the behavior of the system.

If the answer is no, then you should generate the SSL certificate against only the hostname and ensure your end user location has a valid DNS setup you can tie the APC3100 to. Changing the IP address will only change where the DNS tells the client to connect to, not your identification to the client. The mappView browser is then at “https://hostname/” which matches your certificate. This is how the internet works at large, the specific IP address may change (rarely) but you are connecting to a hostname which has been authenticated by your trusted certificate authority sources.

If the answer is yes, then I’m not sure how your APC3100 authenticates that it is the correct device to the user. How would a user know how to connect to the APC3100, let alone know that they are talking to the correct device. It would be like wondering if Google was at https://google.com, or https://google4.com, or some other hostname/URL. In this case, you would need to use the ArCert library to dynamically update your hostname and ip address as Roger indicates.
Additionally, under this configuration, you will end up with an unverified connection. The user will see https but also Not Secure (or other browser specific warning) when connecting to the target.
image

My base recommendations for an https/secure setup.

  1. Ensure the end user has a DNS to which you can connect your machine.
  2. Determine the hostname of your machine. It should be unique on their network.
  3. Check if the end user has a Certificate Authority they use within their corporate network (large end users will have this, smaller won’t).
  4. If they have a local CA, create a certificate signing request for your hostname for as long as allowed (can be many years if it’s intranet). Install and assign the signed certificate under the SSL configuration.
    Otherwise, create a local certificate in AS for the hostname (and re-evaluate what benefits you are getting from switching to https).
3 Likes