• Replies 4 replies
  • Subscribers 585 subscribers
  • Views 436 views
  • Users 0 members are here
Options
Related

Citect 2016 Deployment Server Certificates Expired

Philip

Hi all,

It seems that when the Citect 2016 Deployment Server is configured the certificates that are installed are set up with a 5 year expiry. After 5 years, it is no longer possible to log in to the Deployment Server, and the deployment server log fills up with errors like:

"Certificate chain is invalid for xxxxxxxxxxxxxxxxxx "CN=Citect Deployment server port binding" issued by "CN=Citect Deployment CA""

Specifically, the certificates which are expiring after 5 years are:

  • Citect Deployment server code signing
  • Citect Deployment server port binding

My question is, have other encountered this issue? And, what is the simplest, least disruptive way to recover from this situation?

  • Unfortunately, Citect SCADA 2016 is out of support. You could reach out to Global Customer Service and find out if a tool could be created to renew those self-signed certificates, which probably is the best way to renew the expired certificates.

    At moment, there are only two options available.

    1. Upgrade to 2018R2 or later. System Management Server in 2018R2 has the mechanism that will automatically renew a certificate if it expires
    2. If no plan to upgrade, you will have to reinstall/reconfigure the deployment environment in order to get new certificates
      1. Uninstall the deployment server 2016
      2. Delete the associated certificate from the certificate store.
      3. Delete its binding port (443 by default) using netsh http delete sslcert in command window.
      4. Delete the server config file in .\config folder.
      5. Reinstall and reconfigure the deployment server, which will generate a new certificate (for 5 years from the installation date)
      6. Copy the new auth file to all clients and reconfigure them (delete node config file in .\config first).
  • in reply to Jacky Lang

    Hi Jacky, thanks for the options you've provided - good incentive to upgrade

  • in reply to Philip

     Hi  ,

    We found a simplest way to get a new set of certificates for another 5 years 

    • Stop the deployment server service from Services Window
    • Delete SE.Asb.Deployment.Server.WindowsService.exe.config from .\Config 
    • Launch Configurator in Administrator
    • Configure the deployment server with the same port and option "Create unique security certificates for me". A new set of certificates will be created and the binding port will be automatically updated with the new certificate
    • Distribute the new auth file to all clients.
    • Stop the deployment client service from Services Window
    • Delete SE.Asb.Deployment.Node.WindowsService.exe.config from .\Config
    • Launch Configurator and configure the deployment client with the new auth file.

    Your deployment environment is ready for operation.

    Note that your deployment history will be persisted as long as you keep the same binding port (default is 443).

    Hope this will be helpful.

  • in reply to Jacky Lang

    Thanks Jacky, that is really helpful. I've tested this out on the server and confirmed I can re-connect from the Citect Studio Deployment view. No access to the Clients atm, but I'm confident this procedure will sort them out.

© 2024 AVEVA Group Limited or its subsidiaries. All Rights Reserved.