Skip to main content

Ignition Certificate Activation

Certificate Activation in Ignition 8.1.43+ is a new license strategy that consumes an IA-signed license configuration JSON file and a short-lived license certificate with an associated private key.

Usage

Certificate Activation is driven by the placement of three files in the data/certificate-activation folder under the Ignition installation:

  • config.json: This file will be issued by Inductive Automation and contains license details and constraints, such as the expiration date and validity thresholds for the short-lived certificates. The configuration file is typically issued to an organization and may be shared across multiple Gateways.
  • license.crt: This certificate is generated and signed by the customer’s certificate authority, whose public certificate was supplied to Inductive Automation for integration into the config.json definition. The license certificate and private key should uniquely identify a given Gateway and not be shared across multiple Gateways.
  • license.key: This is the private key for the public license.crt license certificate.

Ignition will need to be restarted for the files to be read. If everything is valid, the Config > Licensing page of the Gateway will show a Certificate License in the Applied Licenses section.

Gateway Licensing Page

For the Ignition Platform item under the Certificate License, you’ll note some details specific to Certificate Activation:

  • license cert subject: This is the Subject value of the certificate and identifies the license certificate target. Typically this will be the hostname of the Gateway for easy identification and correlation.
  • license cert issuer: This is the Issuer value of the certificate and helps to identify which Certificate Authority signed this certificate.
  • license cert fingerprint: This is the Serial Number of the issued license certificate. This label will be updated to be labeled as license cert serial number in a future version.
  • license cert expiration: This is the short-lived certificate expiration date.
  • config expiration: This is the license configuration expiration date.

Runtime Behavior

After the certificate activation has been validated by ensuring that the short-lived certificate is signed by the Certificate Authority defined in the license configuration, the system will not recheck until one of the expiration dates has passed. At that time, the files will be re-read from the filesystem and revalidated.

If validation fails, a license will no longer be applied. The Gateway Status > Logs page should have log entries from the CertificateActivationStrategy logger indicating the problem. The screenshot below shows an example of certificate/key mismatch.

Key Mismatch Example

The system will try to re-read the files every five minutes when there is a configuration issue. During this time, the Gateway will be in Trial mode.