How to build a STTP Subscription under TLS between OpenHistorian and OpenPDC?

I can’t set up STTPS subscriptions (STTP over TLS I imagine).
Configuration :

  • Publisher : OpenHistorian 2.8.52 on Windows 2012.
    IP address :
    Part of openHistorian.exe.config containing tls configuration :
    add name=“ConfigurationString” value=“port=6177” description=“Data required by the server to initialize.” encrypted=“false”
    add name=“CertificateFile” value=“F:\openHistorian\Certs\locals\OHIST-Replay.cer
    description=“Path to the local certificate used by this server for authentication.”
    add name=“TrustedCertificatesPath” value=“F:\openHistorian\Certs\Remotes
    description=“Not used by the TLS data publisher.” encrypted=“false”

  • Subscriber : OpenPDC 2.9.43 on Windows 2012.
    IP address :
    Part of openPDC.exe.config containing tls configuration
    add name=“ConfigurationString” value=“port=6167” description=“Data required by the server to initialize.” encrypted=“false” scope=“Application”
    add name=“CertificateFile” value=“E:\openPDC29\Certs\locals\OPDC-Replay.cer” description=“Path to the local certificate used by this server for authentication.” encrypted=“false” scope=“Application”
    add name=“TrustedCertificatesPath” value=“E:\openPDC29\Certs\Remotes” description=“Not used by the TLS data publisher.” encrypted=“false” scope=“Application”

Step 1 : On PDC subscriber, I try to create a subscription :

Step 1.1 : I open the window Inputs > Subscription Based Inputs > Create Authorization request

Step 1.2 : I create a local certificate by clickink on the ‘Advanced’ button, then Filling the CN (common name) filed with OPDC-Replay

Then click to Generate and store it as a OPDC-Replay.cer file in E:\openPDC29\Certs\locals. It works well :
The 2 paths automatically filled in the window seems OK :

Step 1.3 : On the OpenHistorian publisher side, I do so to generate a publisher local certificate (which will be the remote certificate of the PDC subscriber) :
The CN is OHIST-Replay and the file is stored in F:\openHistorian\Certs\locals\OHIST-Replay.cer

Step 1.4 : I copy the OHIST-Replay.cer local publisher certificate in the E:\openPDC29\Certs\remotes folder of the PDC subscriber.

Step 1.5 : On the PDC Subscriber, I then click on the Import CER button of the Advanced window, and select the E:\openPDC29\Certs\remotes\OHIST-Replay.cer file just copied from the OpenHistorian publisher. I have the following screen :
I then clic on ‘Close’.

Step 1.6 : I tick the ‘Self-signed ?’ option and have the following screen :
Note : the port number doesn’t change if we select GEP ou STTP. I guess that I’ll be able to change it in the connection string after in order to put the correct port number (6177 as mentionned in the « ConfigurationString" value="port=6177 of the OpenHistorian.exe.config file

Step 1.7 : I click on ‘Create’, then selecting a folder to store the request.srq file :
By doing this, I have the following error message :

=> The remote certificate mentionned in the Advanced window cannot be imported : why ?

Step 2 : I tried to make it work without having the previous message.
Step 2.1 : I deleted all, then try again from start, but without putting a value for the remote certificate in the Advanced window :

=>The request file is created and the Input Device OHIST-REPLAY is successfully created :slight_smile:

On the Input Device just created, I have the following connection string :
interface=; useSourcePrefixNames=true; compression=true; autoConnect=true; securityMode=TLS; server=; localCertificate=E:\openPDC29\Certs\locals\OPDC-Replay.cer; remoteCertificate=OHIST-REPLAY.cer; validPolicyErrors=RemoteCertificateChainErrors; validChainFlags=UntrustedRoot; checkCertificateRevocation=False

Step 2.2 : I modify the connection string to put the « ConfigurationString" value="port=6177 from the OpenHistorian.exe.config file ; then Save

Step 2.3 : I copied the request.srq file on the OpenHistorian Publisher, then Actions > Data Publisher Configuration > Authorize subscribers

Step2.4 : On this window I click on ‘Import SRQ’, then selecting the request.srq file.

Step 2.5 : I tick ‘Self-signed ?’ then ‘Save’.
The new subscriber OPDC-REPLAY is well inserted in the list and the OPDC-REPLAY.cer file is automatically stored in the F:\openHistorian\Certs\Remotes folder

Step 2.6 : On the OpenHistorian Publisher, I then tick ‘Self-Signed ?’ and ‘Enable PG Connection’ ; then ‘Save’ :

Step 2.7 : On the PDC subscriber, I then Enabled the OHIST-REPLAY input Device, then ‘Save’ :
I’ve got the following error in the PDC subscriber part console :

And this one in the Historian publisher part :

Step 2.8 : At this point, I checked with the MMC.exe console with snap-in ‘Certificates’ on the two servers if both respectives local and remotes certificates were stored :

  • On the PDC subscriber there was only the local OPDC-REPLAY certificate (in Local Computer > Personal).
  • On the Historian publisher ther was only the local OHIST-REPLAY certificate (in Local Computer > Personal).
    I then successfully use the Window way to install the remote ones on both of the servers (right clic on the .cer file, then install) :

Step 2.9 : I then stopped and started again the publisher part and the subscriber part but with the same results.
I also tried the ‘Import CER’ button on the publisher part oin order to insert the remote OPDC-Replay.cer (remote certificate for the Publisher), but I have the following error :
Off course the manager is connected to the service :

I don’t know what is going wrong and what to do next to make it works. It’s quite annoying because the TLS security layer would be a great security improvement for us.

Commonly we just use the existing publisher certificate that is setup as part of the installation. In your case since openHistorian is publisher, you would use openHistorian.cer, found in the root certificate folder, as the primary publication certificate.

We generally don’t have too much trouble with this step - perhaps we can help walk you through it and on a short call.



I tried with the ‘default’ certificates coming from the setup process (openPDC.cer and openHistorian.cer available in the root folders of openPDC and openHistorian) but I encountered two issues :

  • sometimes enabling the publisher adapter make the openhistorian service freezing and/or restarting
  • the openHistorian (publisher) console show the following error message :

A short call (maybe using Teams to display my screen) would effectively be really appreciate.
I send you a PM to find a date and hour that could suit both of us.