Overview

This article walks you through creating an X.509 certificate in Microsoft Active Directory Certificate Services (ADCS) for use with RealVNC OPC. You duplicate the built-in Webserver template, configure it for OPC, publish it on your Certificate Authority, enroll for the certificate from a target server, and export it in the P12 and PEM formats that the RealVNC OPC installer requires.

Step 1 - Duplicate the Webserver template

You start by creating a copy of the built-in Webserver template that you can customise for RealVNC OPC.

1. On your Certificate Authority server, press Start and run certtmpl.msc.
2. Locate the Webserver template, right-click it and select Duplicate Template.

The Properties dialog for the new template opens. Configure each tab as described in the sections below.

Compatibility tab

Set both Certification Authority and Certificate recipient to Windows Server 2016. Acknowledge any "Resulting changes" dialog that appears.

General tab

Enter the name of the template in the Template display name field. The Template name field populates automatically.

Request Handling tab

1. Set Purpose to Signature and encryption.
2. Tick Allow private key to be exported.

Cryptography tab

1. Set Provider Category to Key Storage Provider.
2. Set Minimum key size to 2048.
3. Set Request hash to SHA-256.

Subject Name tab

Select Supply in the request. This lets you enter the subject information manually when you request the certificate in Step 4.

Extensions Tab

Make sure the Application Policies extension includes Server Authentication, and Key Usage include Digital Signature.

When you have configured all tabs, click OK to save the new template.

Step 2 - Publish the template on the CA

Now make the new template available for issue by your Certificate Authority.

1. Run certsrv.msc.

2. Right-click Certificate Templates and select New / Certificate Template to Issue.

   

    

   

3. Select the certificate template you just created and click OK.

Step 3 - Open the Certificates snap-in

Open Microsoft Management Console and add the Certificates snap-in for the local computer so you can request a new certificate based on your template.

1. Run mmc.
2. From the File menu, select Add/Remove Snap-in....
3. Add the Certificates snap-in and select the appropriate account scope when prompted.

Step 4 - Request, enroll and issue the certificate

With the Certificates snap-in loaded, start the certificate enrollment wizard and request a new certificate using your template.

1. Click Next through the wizard.

   

2. Click More information is required to enroll for this certificate.

   

3. In the Certificate Properties dialog, enter the name of the server you have given to your OPC server.

   

4. Click Add for each item to add it to the subject or alternative name list.

   

5. Click Enroll to request and issue the certificate.

   

Step 5 - Export the issued certificate as P12

In the Certificates snap-in, locate the newly issued certificate, right-click it and select All Tasks / Export....

Step 6 - Create the PEM file and run the installer

The RealVNC OPC installer needs both a P12 file (containing the private key and certificate) and a PEM file (containing the public certificate). Export the public certificate separately and convert it to PEM format.

1. In the Certificates snap-in, right-click the issued certificate and select All Tasks / Export... again.
   
   
   
   
2. This time, choose No, do not export the private key, then select Base-64 encoded X.509 (.CER) as the output format.
   
   
3. Rename the file extension from .cer to .pem.
   
   

You should now have two files: a .p12 file containing the private key and certificate, and a .pem file containing the public certificate.

Run the installer

1. Run the RealVNC OPC installer.
2. When prompted, upload the P12 and PEM files.