Allow installer to (optionally) bypass Certificate checks
In nearly all installations in the last three years we have restrictions on the servers where we need to install the SSL certificates, that make it impossible to verify the validity (e.g. no access to revocation servers).
The certificate is accepted by clients as those have different authorisations.
I would like to optionally bypass the certificate checks in the PI Web API Configuration utility to allow using certificates that cannot be validated. This will save a lot of time to bypass the utility and manually remove and bind a certificate.
This enhancement request was included in PI Vision 2020. On a clean install, the setup kit will create a self-signed certificate, and apply it to the target IIS web site where PI Vision is being installed. On upgrade, where the previous version already had a certificate set for the PI Vision site, that certificate is used for the new version’s PI Vision web site.
For additional information on PI Vision 2020, please see the release announcement here:
Still fails with no internet access when replacing a valid non self signed cert with a new one even though it's in PFX format and therefore should need no external access.
This on standalone Web API configuration tool at latest revision.
PI server doesn't have internet access, on purpose, PFX format being used as it should be accepted without internet access...
Kenneth Barber commented
Interesting. Making sure that a certificate is valid is a security measure, but forbidding the PI Vision server to communicate with the outside world is also a security measure, and, arguably, the more important one.
Roger Palmen commented
PS: This applies both to PI Vision and PI Web API installers if both use the same rules to check the certificate.