Skip to Content
Niagara 4How to install a Code Signing Certificate from a Developer

How to install a Code Signing Certificate from a Developer

Code signing certificates in Niagara 4 provide security and trust verification for modules, applications, and custom code. Installing a developer's code signing certificate allows you to trust and execute signed code from that developer in your Station.

Overview

Code signing certificates serve several purposes:

  • Code Integrity: Verify code hasn't been tampered with
  • Developer Authentication: Verify code origin
  • Trust Management: Control which developers' code can execute
  • Security Policy: Enforce security policies for code execution

Prerequisites

Before installing a code signing certificate, ensure you have:

  • Administrative access to the Niagara Station
  • The code signing certificate file from the developer
  • Certificate file format information (typically .cer, .crt, or .p7b)
  • Understanding of your Station's code signing policy

Understanding Code Signing in Niagara

How Code Signing Works

  1. Developer Signs Code: Developer signs module/code with their certificate
  2. Certificate Verification: Station verifies certificate validity
  3. Trust Check: Station checks if certificate is trusted
  4. Code Execution: If trusted, code executes; otherwise, execution may be blocked

Certificate Types

  • Developer Certificate: Certificate from individual developer
  • CA Certificate: Certificate Authority certificate (trusts all certificates from that CA)
  • Root Certificate: Root CA certificate (trusts entire certificate chain)

Step-by-Step Installation

Step 1: Obtain Certificate from Developer

Request the code signing certificate from the developer:

  1. Certificate File: Obtain certificate file (.cer, .crt, .p7b, or .pem format)
  2. Certificate Chain: If provided, obtain full certificate chain
  3. Certificate Information: Request certificate details (issuer, validity period)
  4. Verification: Verify certificate authenticity with developer

Step 2: Access Certificate Store

  1. Open Niagara Workbench
  2. Connect to your target Station
  3. Navigate to StationProperties
  4. Go to Security or Certificates tab
  5. Locate Code Signing Certificates or Trusted Certificates section

Alternatively:

  1. Navigate to ServicesSecurity Service (if available)
  2. Access Certificates or Code Signing section

Step 3: Import Certificate

  1. In the Certificates section, click Import or Add Certificate
  2. Select Import from File option
  3. Browse to the certificate file location
  4. Select the certificate file
  5. Click Open to begin import

Step 4: Configure Certificate Properties

During import, configure certificate properties:

  • Certificate Name: Enter descriptive name (e.g., "Developer Name - Code Signing")
  • Certificate Purpose: Select "Code Signing" or "Trust"
  • Trust Level: Set trust level (Full Trust, Limited Trust, etc.)
  • Validity Period: Review certificate validity dates
  • Certificate Details: Review certificate information (issuer, subject, etc.)

Step 5: Verify Certificate Information

Review imported certificate details:

  • Subject: Certificate owner information
  • Issuer: Certificate Authority information
  • Validity: Certificate validity period
  • Thumbprint: Certificate unique identifier
  • Key Usage: Certificate intended uses

Step 6: Install Certificate Chain (if provided)

If developer provided certificate chain:

  1. Import root CA certificate first
  2. Import intermediate CA certificates
  3. Import developer certificate last
  4. Verify certificate chain is complete

Step 7: Configure Trust Settings

Set trust configuration for the certificate:

  • Trust for Code Signing: Enable trust for code signing
  • Trust for Authentication: Configure authentication trust (if applicable)
  • Trust Scope: Set trust scope (Station-wide, specific applications, etc.)
  • Auto-Trust: Configure automatic trust for certificates from this issuer

Step 8: Verify Certificate Installation

  1. Certificate List: Verify certificate appears in trusted certificates list
  2. Certificate Status: Check certificate status (Valid, Expired, etc.)
  3. Trust Status: Verify trust settings are configured correctly
  4. Test Signed Code: Test with signed code from developer

Step 9: Configure Code Signing Policy

Configure Station code signing policy:

  1. Navigate to StationPropertiesSecurity
  2. Locate Code Signing Policy section
  3. Configure policy:
    • Require Signing: Require all code to be signed
    • Allow Unsigned: Allow unsigned code (not recommended)
    • Trusted Developers: List of trusted developers/certificates
    • Blocked Certificates: List of blocked/revoked certificates

Step 10: Test Certificate Functionality

  1. Obtain Signed Module: Request signed test module from developer
  2. Import Module: Import signed module into Station
  3. Verify Signature: Verify module signature is recognised
  4. Execute Module: Test module execution
  5. Review Logs: Check logs for certificate-related messages

Certificate File Formats

Common Formats

  • .cer / .crt: DER or PEM encoded certificate
  • .p7b / .p7c: PKCS#7 certificate chain
  • .pem: PEM encoded certificate (text format)
  • .pfx / .p12: PKCS#12 certificate with private key (not typically used for trust)

Format Conversion

If certificate format needs conversion:

  1. Use OpenSSL: Convert between formats using OpenSSL
  2. Certificate Tools: Use Windows Certificate Manager or similar tools
  3. Developer Assistance: Request certificate in required format from developer

Configuration Examples

Basic Certificate Installation

Certificate File: developer-code-signing.cer
Certificate Name: Acme Developers - Code Signing
Trust Level: Full Trust
Purpose: Code Signing
Validity: 2024-01-01 to 2025-12-31

Certificate Chain Installation

Root CA: root-ca.cer
Intermediate CA: intermediate-ca.cer
Developer Cert: developer-cert.cer
Installation Order: Root → Intermediate → Developer

Troubleshooting

Certificate Import Failures

If certificate import fails:

  1. File Format: Verify certificate file format is supported
  2. File Corruption: Check certificate file is not corrupted
  3. Permissions: Ensure you have administrative permissions
  4. File Path: Verify file path is accessible
  5. Format Conversion: Try converting to different format

Certificate Not Trusted

If certificate is not trusted:

  1. Trust Settings: Verify trust settings are configured
  2. Certificate Chain: Ensure full certificate chain is installed
  3. Root CA: Verify root CA certificate is trusted
  4. Certificate Status: Check certificate is not expired or revoked
  5. Policy Configuration: Review code signing policy settings

Signed Code Not Executing

If signed code is not executing:

  1. Certificate Trust: Verify certificate is in trusted list
  2. Code Signature: Verify code is properly signed
  3. Policy Settings: Check code signing policy allows execution
  4. Certificate Validity: Verify certificate is within validity period
  5. Logs: Review Station logs for specific error messages

Certificate Expiration

When certificate expires:

  1. Renewal: Request renewed certificate from developer
  2. Update Certificate: Replace expired certificate with new one
  3. Validity Monitoring: Set up monitoring for certificate expiration
  4. Notification: Configure alerts for upcoming expirations

Security Best Practices

Certificate Management

  • Verification: Always verify certificate authenticity with developer
  • Secure Storage: Store certificates securely
  • Regular Review: Periodically review trusted certificates
  • Revocation: Remove revoked or compromised certificates immediately

Trust Configuration

  • Principle of Least Privilege: Only trust necessary certificates
  • Specific Trust: Trust specific developers rather than entire CAs when possible
  • Regular Audits: Periodically audit trusted certificates
  • Documentation: Document why each certificate is trusted

Policy Enforcement

  • Require Signing: Require code signing for all custom code
  • Block Unsigned: Block execution of unsigned code
  • Monitor Execution: Monitor code execution and certificate usage
  • Incident Response: Have process for handling certificate issues

Advanced Configuration

Certificate Revocation Lists (CRL)

Configure CRL checking:

  1. CRL Location: Configure CRL distribution point
  2. CRL Updates: Set up automatic CRL updates
  3. Revocation Checking: Enable revocation checking for certificates
  4. Offline CRL: Configure offline CRL if network access is limited

Certificate Pinning

For enhanced security:

  1. Pin Certificates: Pin specific certificates for critical applications
  2. Certificate Validation: Configure strict certificate validation
  3. Chain Validation: Require full certificate chain validation
  4. OCSP: Configure Online Certificate Status Protocol checking

Integration with PKI

Integrate with enterprise PKI:

  1. Enterprise CA: Trust enterprise Certificate Authority
  2. Auto-Enrollment: Configure automatic certificate enrollment
  3. Group Policy: Apply certificate policies via group policy
  4. Centralised Management: Use centralised certificate management tools

Additional Resources

  • Code Signing Best Practices
  • X.509 Certificate Standards (RFC 5280)
  • Niagara 4 Security Guide
  • Public Key Infrastructure (PKI) Documentation
How to calculate the quantity of Global Capacity Points consumed in a StationHow to setup an Email Service in a Niagara Station (Gmail)