1

I am a systems integrator using a system designed for bringing HVAC data up to a common interface; this system/software platform is called Niagara AX. The combination of the customer's network setup and requirements for a project have brought together the following scenario:

  • All systems providing said data must communicate to the consumer of that data via a web browser with HTTPS
  • There is a centralized virtual server that must be the access point through which other systems are accessed, and sub-system access must be via HTTPS
  • The customer has provided a Microsoft Active Directory certificate authority and certificate signing tool
  • Certificates generated by the HVAC systems are signable by the customer's signing tool and are accepted by the HVAC systems and work correctly in web browsers for direct connections to all systems, including the central server and all sub-systems
  • The HVAC software platform provides built-in options only for HTTP tunneling and using HTTPS

I have managed to get my system working correctly on all points except where the sub-systems must be accessed through the centralized server. Direct HTTPS access works correctly in all instances. From what I can see, my only option given the customer's setup and requirements is to use HTTPS tunneling which uses a specialized syntax specific to this HVAC system (e.g., https://cent-server/tunnel/127.32.41.8/file/px/Floorplan.px). At this point, any number of things usually happen, including 404s with silent redirect to a nonsense page, or "waiting for cent-server" that just eventually times out.

I have been told that the fix involves "combining" my SSL certificates into a single large certificate and having this "common" certificate in place on all systems involved. My question is this: how can I accomplish this?

Let my systems be labeled C - centralized server, A - sub-system A, B - sub-system B, R - root certifying authority (highly simplified). Attempting to combine the signed certificate portions of certs A and B into the public + private PEM for cert C and then importing into the certificate manager in C results in an error CertPathValidatorException claiming "Intermediate certificate lacks BasicConstraints". I'm not sure what other combination options I have available when putting my PEM together, although I know that it doesn't make sense to just insert the public-side of certs A and B into the section where this system expects cert-chain pieces to be.

abiessu
  • 111
  • 4
  • Also, attempting to supply both public and private keys from cert A within the PEM for cert C fails with error "Can't import multiple private keys from one file" – abiessu Aug 21 '15 at 18:55
  • Just a hunch.... but Niagara use a Java framework if I'm not mistaken. Which means it's likely this subsystem that fails to work is using the Java Keystore, which will not contain the trusted root of the customers CA. Combining the cert chain is a workaround. You might try going down the path of importing the customer's root into the java keystore.... or.. it may end up being a waste of time. :) Sorry, I have no direct experience with Niagara. – k1DBLITZ Aug 24 '15 at 21:14
  • @k1DBLITZ: thank you for the suggestion. I can dig in to the Java keystore in each of the systems, although I think I've covered this by having the customer's trusted root certificate placed in all systems trust stores within Niagara. But I will double-check the next time I'm at that site. The main question I'm asking here is whether there is some sort of special setup involved for the certificates themselves (file format, etc.) that supports or at least helps the https tunnel process within a web browser environment... – abiessu Aug 25 '15 at 00:15

1 Answers1

0

According to tech support for Niagara AX, "HTTPS Tunneling is not supported". This contradicts what I have heard from other sources, so while I will put this as the "official" answer to my question, I may update it if other information becomes available.

In other words, the point of my question, namely to find out whether certain settings or file formats for the HTTPS certificates were required to make this type of tunneling possible within this software/network environment, is moot. Thank you to all who took the time to read and consider my question.

abiessu
  • 111
  • 4