Dataristix™ certificate handling notes

This note contains information about the use of certificates in Dataristix and certificate backup strategies for disaster recovery.

Use of certificates

Various Dataristix connectors use certificates for identification. These certificates do not form part of the project but remain in place when projects are loaded or when a new project is started. This means:

  • The OPC UA connector retains the OPC UA client identity that is trusted by OPC UA servers, and you do not need to trust the Dataristix client again on the OPC Server side.
  • For the MQTT connector, the broker’s certificate authority and server certificates remain the same and MQTT clients continue to trust the broker.

Some certificates may become inaccessible when loading a project or when starting a new project:

  • Dataristix MQTT client certificates may become inaccessible because the MQTT clients present in the new project may be different from the previous MQTT clients. However, previously used certificates are cached, and if the new project contains MQTT clients with references to a previously cached certificate, then the previous MQTT client certificate will be restored. Generally, project iterations using the same MQTT clients retain their certificates and trust relationships.
  • REST client certificates may become inaccessible because the REST clients present in the new project may be different from the previous REST clients. Again, if the new project contains REST clients with references to a previously cached certificate, then the previous REST client certificate will be restored, and project iterations using the same REST clients retain their certificates.

In short, on the same computer, certificates and trust relationships are retained across different projects. Restoring a Dataristix instance on a different computer requires further consideration.

Certificate backup strategies

It is important to note that certificates that could potentially contain a private key are not included in an exported project; the saved project file does not contain the OPC UA client instance certificate, the MQTT certificate authority certificate, the MQTT server certificate, or the REST client certificates. Therefore, a new installation of Dataristix on another computer will use different certificates even after loading a previously saved project. Without precautions, trust relationships established by the original certificates would need to be restored. That means, OPC UA servers would need to trust the new Dataristix instance, MQTT clients would need to trust the new Dataristix broker certificates, and REST servers that require trusted client certificates would need to be configured to trust the new Dataristix REST client certificates.

For disaster recovery, the best option is therefore, to backup relevant Dataristix certificates including private keys, so that previous trust relationships can be restored if required. This may be achieved in one of the following ways:

  1. Using file history or other backup mechanism for the computer where Dataristix is installed. This strategy would aim at restoring the entire machine state to a state where the correct certificates are present in the file system.
  2. Keeping a backup of the PKI folders (Public Key Infrastructure folders) of the connectors that use certificates. These ‘pki’ folders are found in the respective “Program Data” folder of the connector:
    C:\ProgramData\Rensen\Dataristix\modules\MQTT Connector
    C:\ProgramData\Rensen\Dataristix\modules\OPC UA Connector
    C:\ProgramData\Rensen\Dataristix\modules\REST Connector
    PKI folders are protected, and you would need to be a system administrator to gain access to these folders. Keep backups of the contained certificate files. To restore the PKI files, locate the PKI folder on the new system, delete any existing content, and copy all backed up files contained in the previous PKI folder. Finally, restart the relevant Dataristix connector services using the Windows Services panel.

If you have used “openssl” to create certificates and imported these certificates into Dataristix (instead of using certificates generated by Dataristix) then you may already have a set of certificate files and private keys; simply ensure that these files are kept in a safe place, in case you need them to configure another Dataristix instance.

Note that exporting a certificate in Dataristix does not export the private key. If a private key is needed for operations (for the MQTT broker server certificate, the OPC UA application instance certificate, or possibly the REST client certificate), then the exported certificates cannot be reimported since they are missing the private key. The MQTT broker’s certificate authority certificate can be used without a private key, but without private key, it cannot be used to issue device certificates.

We are continuing to investigate options to strike a balance between convenience and security and may include additional features in next year’s Dataristix update to address certificate backup and restore functionality. If you would like to share your preferences or thoughts, then simply e-mail us at support@rensen.io.