X.509 Certificate Renewal

"SSL" is the acronym for the Secure Sockets Layer security protocol. SSL is an older technology, but the term has become the de facto name for Internet security. VTScada uses the more modern Transport Layer Security (TLS) protocol (although, for the sake of compatibility with older Windows operating systems, it can use SSL.)
While the term "SSL Certificate" is in common use, "X.509 Certificate" is the correct term.

X.509 certificates expire. You must renew it according to the terms under which you purchased your certificate.

Renewal consists of obtaining a new certificate, which contains a new public key (among other things), and combining it with the existing private key. The process is not disruptive. Before beginning, ensure that you have installed the OpenSSL toolkit1 and that you are using a windows account with administrative rights.

  1. Sign in to your certificate provider's website.
  2. Select your certificate and follow the instructions to renew and to pay for the renewal.
  3. After your provider has verified the purchase, you may download a new certificate.
    This will contain two .CRT files. One is the certificate for your host (referred to here as "certificate.crt") and the other is the intermediate certificate from your provider (referred to here as "intermediate.crt"), verifying that they can issue certificates. (There may be a separate download for intermediate.crt.)

Certificate.crt contains a new public key with a new expiration date. The old certificate and private key should be put into a PFX file for internal use and storage. You will use the OpenSSL library to do so.

  1. Obtain your existing private key file.
  2. Run the following command in OpenSSL to extract the private key. (You may need to provide the path to OpenSSL.exe.)
OpenSSL pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
  1. Optional step:
OpenSSL rsa -in key.pem -out private.key

You need a password-protected PFX file to store the new certificate where it is needed. This includes the private key, certificate.crt, and intermediate.crt from your provider.

  1. Run the following command in OpenSSL, where "certificate.pfx" should be given a name that combines host and year (for example: test.trihedral.com-2018.pfx).
OpenSSL pkcs12 -export -out certificate.pfx -inkey key.pem -in certificate.crt -certfile intermediate.crt
  1. OpenSSL will prompt for a password. Use the same as the one used to secure the previous PFX file.
  2. Save the certificate and install where needed.
  3. After ensuring that the .pfx has been safely stored, clean up by deleting all the files used and created during this procedure.