Required certificates

SSL certificates are required to secure communication between certain Granta MI applications and services.

Note: In an automated Granta MI Pro deployment, all the required SSL certificate configuration will be done for you, and so you can skip this section.

The following certificates are required on your Granta MI application server.

Certificate Certificate requirements Install in this certificate store
MI Server API server certificate
  • The certificate must be trusted (signed by a trusted root Certificate Authority).
  • The certificate must have a Private Key (it cannot be a public key-only certificate).
  • Enhanced Key Usage: must contain Client Authentication and Server Authentication.
  • Subject Alternative Name: must include the hostname of the MI application server.

The Subject Alternative Name is used to specify alternative host names for the certificate. It should include both the hostname (machinename) and fully-qualified domain name of the server (machinename.yourcompany.com), for example:

  • DNS Name=machinename
  • DNS Name=machinename.yourcompany.com

Wildcard SAN definitions are allowed:

DNS Name=*.yourcompany.com

If the MI Selection Service will be running under a specific user account (and not LocalSystem), that account requires read access to the MI Server API Server certificate Private Key.

In the majority of cases, the certificate that you use in IIS for HTTPS is a good choice to use as the MI Server API server certificate, but you should check that it meets these certificate requirements first.

The thumbprint of this certificate must be provided when configuring MI Server, MI Service Layer, and MI Selection Service during installation.

 Local Machine Personal store
MI Server API client certificate
  • The certificate must have a Private Key (it cannot be a public key-only certificate).
  • Enhanced Key Usage: if set, it should contain Client Authentication.

The thumbprint of this certificate must be provided when configuring MI Server, MI Selection Service, and MI Ansys Material Calibration Service. A certificate PFX file and Private Key password for this certificate are required during configuration of MI Service Layer.

 Local Machine Personal store

These certificates are used to secure communication between different Granta MI services and applications as follows.



Note that MI Server and MI Selection Service both use the MI Server API server certificate. MI Selection Service uses this certificate for client authentication to MI Server, and also to authenticate requests from MI Service Layer.

A self-signed certificate is a good choice for a staging or development environment where you want to test or evaluate Granta MI functionality. In an enterprise production environment, you should consult with your IT personnel to ensure that certificates deployed for Granta MI comply with your organization's SSL certificate best practices.

Self-signed certificates for testing purposes may be generated using a Windows PowerShell cmdlet, see New-SelfSignedCertificate (pki) | Microsoft Docs for more information.

For example:

New-SelfSignedCertificate -FriendlyName "Certificate for testing MI" -DnsName "machine_name", "fq_machine_name" -Type SSLServerAuthentication -CertStoreLocation "Cert:\LocalMachine\My"

where machine_name is the host name and fq_machine_name is the fully-qualified host name, for example, computername.yourcompany.com.

If using a self-signed certificate for the MI Server API Server certificate, it should be copied into the Trusted Root Certification Authorities store.