Configure Certificates for Identified Flex Client

This step is part of the workflow for Configuring an Identified Flex Client.

 

NOTE: This section covers the certificates that allow the Desigo CC server to recognize the host certificate of the Flex station, so that it can operate as an identified client.
Do not confuse these with the other certificates that may be used for a Flex client deployment (web services and website certificates), which are instead configured during the preceding step (see Setup Checklist for Flex Client).

Prepare Root and Host Certificates

The root and host certificates can be created using SMC or acquired from a commercial CA. Here we provide the procedure for using SMC.

  • A root certificate (.cer + .pfx files), that identifies the source of certificates used for communication between the Desigo CC server and the identified Flex client.
  • A host certificate (.cer + .pfx files) generated from the above root certificate, and issued to the computer where you want to run identified Flex client:

 

Create root certificate

  1. In the SMC tree, select Certificate.
  1. Click Create Certificate and select Create root certificate (.pfx).
  1. Enter a descriptive name for the .cer and .pfx certificate file names, for example IdentifiedFlexRoot.
  1. Provide a path where the created certificates should be saved.
  1. Also enter a descriptive name for the Subject name, for example Identified Flex Root.
  1. Provide and confirm the password for the root certificate.
    Note this down, as you will need it in order to create the host certificates.
  1. Click Save .
  • The files [identified flex root].CER and [identified flex root].PFX are saved to the specified path.

 

Create host certificate for identified Flex station

  1. Now in SMC click Create Certificate again and select Create host certificate (.pfx).
  1. In the Root certificate field, browse for and select the [identified flex root].PFX certificate created above.
  1. Enter its password into the Root certificate password field.
  1. Enter a descriptive name for the .cer and .pfx certificate file names, for example IdHostXYZ.
  1. Provide a path where the certificates should be saved. This can be the same location where you saved the root.
  1. In the Subject name enter the full name of the computer you want to use as an identified flex station.
    In this example we will use XYZ as the computer name.
  1. Provide and confirm the password for this host certificate.
    Note this down, as you will need it in order to import the .PFX host certificate into the Flex station.
  1. Click Save .
  • The files [IdHostXYZ].CER and [IdHostXYZ].PFX are saved to the specified path.

If you have additional Flex stations, you can create a host certificate for each one in the same way, using the same root. In each case, make sure the Subject name corresponds to the full computer name of the identified Flex station.

Import Certificates Into Desigo CC Server

On the Desigo CC serveryou need to import the .CER root certificate, and also the .CER host certificate for the identified Flex station. If your deployment includes a separate IIS web server, you must also import the same root and host certificates into that computer.

 

Import the .CER root certificate

  1. Right click the [IdentifiedFlexRoot].CER file and select Install certificate.
  1. Select Local Machine as the Store location and click Next.
  1. Select Place all certificates in the following store.
  1. Click Browse... , select Trusted Root Certification Authorities, and click OK.
  1. Click Next and click Finish.
  • The root certificate is imported into the TRCA store for Local Computer.
    The TRCA store for Current User also automatically inherits this root certificate.

 

Import the .CER host certificate of the flex station

  1. Right click the [IdHostXYZ].CER file and select Install Certificate.
  1. In Store location select Local Machine and click Next.
  1. Select Place all certificates in the following store.
  1. Click Browse... , select Personal, and click OK.
  1. Click Next and click Finish.
  • The host certificate is imported into the Personal store for Local Computer.

 

Import Certificates into the Flex Station

On the Flex station, you need to import the root certificate, and also the host certificate issued to that Flex station.
In this example, in SMC a root certificate IdentifiedFlexRoot was used to create a host certificate IdHostXYZ for an identified Flex station whose computer name is XYZ.

 

Copy the certificate files to the Flex station

Copy the root certificate .CER file and the host certificate .PFX file to a location accessible from the identified Flex client computer.

 

Import the .CER root certificate

  1. Right click the [IdentifiedFlexRoot].CER file and select Install certificate.
  1. Select Local Machine as the Store location and click Next.
  1. Select Place all certificates in the following store.
  1. Click Browse... , select Trusted Root Certification Authorities, and click OK.
  1. Click Next and click Finish.
  • The root certificate is imported into the TRCA store for Local Computer.
    The TRCA store for Current User also automatically inherits this root certificate.

 

Import the .PFX host certificate for current user

  1. Right click the [IdHostXYZ].PFX file and select Install pfx.
  1. In Store location select Current User and click Next.
  1. Check the certificate file name and click Next.
  1. Enter the password for the host certificate and click Next.
    This is the password that you provided when creating the host certificate in SMC.
  1. In the Import options:
  • Select Enable strong private key protection to require the Flex client user to enter a password for this certificate when logging in. (see below).
  • Otherwise leave this option deselected to allow Flex client login with less user interaction.
  1. Select Place all certificates in the following store.
  1. Click Browse... , select Personal, and click OK.
  1. Click Next and click Finish.
  1. Only if Enable strong private key protection was set:
  • In the Importing a new private exchange key dialog box, click Set Security Level.
  • Select High (request my permission with a password) and click Next.
  • Provide and confirm a password and click Finish.
    Note down this password and provide it to the Flex client user for whom you are importing the certificate.
  • Click OK.
  • The host certificate is imported into the Personal store for Current User.

NOTE: You must repeat this import for each Windows user that will be accessing identified Flex client on this computer.

 

(Firefox only) Import Root Certificate into Firefox Certificate Store on Flex Station

 

Once the root certificate is imported into the remote Flex Client station, in order for Firefox to recognize the issuer of the certificate for securing the communication, you must import the root certificate of the host certificate used for securing the website/web application in the Firefox certificate store.
This is because the Mozilla Firefox browser maintains its own certificate store from which the certificate must be selected.
IIS does the certificate chain validation to identify a Trusted CA. Without importing the Root certificate that chain validation fails.
For more information on how to import the certificate into the Firefox store, see Install Client Digital Certificate - Firefox for Windows.
Settings for importing the certificate might be different based on the version of Mozilla Firefox browser you are running!