Skip to main content
InSource Solutions

TN - 1138 Using a Certificate Provided by IT for SMS


This article from InSource shows how to use a certificate provided by IT when configuring the AVEVA Common Platform System Management Server.  The machines running AVEVA software are configured to trust one another to make use of encrypted communication.

  • Author:  Rich Brooks
  • Published:  4/1/2021
  • Applies to:  AVEVA System Patform 2020 R2 and higher


The Common Platform System Management Service is setup from the Configurator.  Select the This machine is the System Management Server radio button.  One machine is configured as the System Management Server and the other machines are configured as clients to the SMS server.


Note:  IT Provided certificates should be installed by IT prior running the Configurator.  That includes any required root, intermediate, and/or personal certificate(s).  The certificates need to be installed locally on each machine in the system.  Create a personal certificate (.pfx file) that combines the certificate (.cer file) with the private key.  A tool such as the ssl-converter found on may be used to create the pfx file.

Install the root certificate to Root, the intermediate certificate to Intermediate, and the SSL certificate to Personal.

Certificate Storage Requirements



Private Key access Permissions

root certificate

Local Computer Trusted Root Certification Authorities store


intermediate certificate

Local Computer Intermediate Certification Authorities store


SSL certificate

Local Computer Personal store

ArchestrAWebHosting user group read access is granted by Configurator

The following certificate fields are required.  Check to be sure the certificate includes the required fields.

SSL Certificate Requirements




Key Usage

Digital Signature, Key Encipherment, Data Encipherment (b0)


Enhanced Key Usage

Server Authentication (


Subject Alternative Name

DNS Name=localhost

Only required when your client accesses your web applications via localhost.

DNS Name=[machine name]

Only required when your client accesses your web applications via the machine name. 

e.g. DNS Name=mymachineName

DNS Name=[public origin]

Only required when the Management Server Public Origin feature is enabled per How to Use Public Origin

e.g. DNS

DNS Name=[fully qualified domain name]

Required when the wildcard domain name is not used.

PCS framework uses the FQDN as the endpoint identity to authenticate the PCS web service.

This item must be the last entry in the SAN list due to a known Microsoft .Net Framework issue. More on the issue here and workaround here.

e.g. DNS

DNS Name=[wildcard domain name]

Only required when IT plan to deploy the Management Server on any machine in the domain.

e.g. DNS Name=*

Friendly name

A friendly display name


Configurator displays the friendly name in the certificate drop-down list.

e.g. IT Binding Certificate

Click on the Advanced button in the Configurator to continue.  The default option is to use the Automatically Generated certificate provided by AVEVA.


Alternatively, select Provided by IT (import/select) from the drop down as the Certificate Source.  Also, select the personal certificate friendly name from the Certificate drop down list.

The Friendly name is added from the Certificate Manager.  Expand out Personal to select the Certificates folder.  Right click on the certificate to select properties.  Type in the Friendly name and click on the OK button to save and close the dialog. 


Select the details button back in the Configurator.  Verify the certificate selected is correct as viewed from the Certificate Path tab.  Also, check to be sure that certificates exist with valid dates in the associated Certificate Store.


Click on the Ok button to close the advanced configuration dialog and then click on the Configure button in the Configurator.


Check the Configuration Messages for any warning and/or error messages.  It will display Device configuration complete when it completes successfully.

  • Was this article helpful?