Skip to content

Import Certificate Chain to Trust Store

The Industrial Edge Management (IEM) supports certificates signed by private Certificate Authorities (CAs). To establish a secure communication and a chain of trust, the private root certificate and any intermediate certificates must be imported into the Industrial Edge Device's (IED) trust store.

During the onboarding process, this is handled automatically through the configuration file. However, if the root CA changes after onboarding, you can manually update it via the IED UI.

Prepare the certificate chains

To manually update the trust store, you need to prepare a JSON document that contains the certificate chains for the Portal Endpoint and the Registry Endpoint (used in legacy IEM OS versions). Each chain must include the root certificate and, if applicable, any intermediate certificates, all in PEM format and base64-encoded.

{
  "portal_chain": "<base64-encoded PEM certificate chain for portal endpoint>",
  "registry_chain": "<base64-encoded PEM certificate chain for registry endpoint>"
}

To encode the PEM certificate file in base64, you can use:

base64 -i <my-root-ca>.pem

Import the chains to IED

  1. Navigate to Settings > System
  2. Select Import Certificates to IED Trust Store

This import updates the IED’s certificate store to trust both the provided private CA and all public trusted CAs.

NOTICE

For more information refer to Certificates in IE.