Host certificate
This panel allows you to create new certificates for your hosts. When the default certificate names are used, e.g. host-cert.pem and the certificates are generated automatically, they are also copied automatically to the host. If you create certificates yourself, these must be copied to the corresponding hosts for further usage.
The following certificate types options are available:
Note that the file extensions "crt" and "key" are automatically added.
-
Free certificate - Allows to use a custom name. Via this option you can create keys and certificates with a user-defined name. Use this option for the Server-side Authentication for Managers.
-
Certificate for the WCCILproxy - Certificate is named according to the WCCILproxy requirements.
-
Certificate for the HTTP-server - Certificate is named according to the HTTP Server requirements. The HTTP certificate is also used for the following features: Mobile UI Application, ULC UX, NodeRED and Dashboard.
CAUTION:So that the certificates can be used with the Chrome browser, enter in addition to the obligatory certificate fields: Certificate type, Destination path, Certificate/key name and Expiration date, also the "DNS Names".
For creating a host certificate an existing root certificate is required - see chapter Root Certificate Authority. The host certificates are created via the Host Certificate section:
Host certificate section
Certificate type
The destination path, name and expiration date are mandatory fields.
The certificate type defines the name of the created certificate. Following options are available:
-
Free certificate - Allows to use a custom name. Via this option you can create keys and certificates with a user-defined name. Use this option for the Server-side Authentication for Managers.
-
Certificate for the WCCILproxy - Certificate is named according to the Multiplexing Proxy requirements.
-
Certificate for the HTTP-server - Certificate is named according to the HTTP-server and Reporting Manager requirements.
Destination path
Path where the host certificate is created.
Name
Name that is used for the host certificate. This is the file name for the certificate and the key. This field is used to identify a certificate.
Expiration date
Enter the expiration date of the certificate.
Note that a certificate has an expiration date and must be recreated in case of expiration! If you created the certificate yourself, recreate a certificate. If a certificate was created by an external CA, the certificate can only be recreated by the external CA.
A description on how to renew an expiring or already expired certificate can be found within the Security Guideline.
Additionally, you can enter information such as a country code, a province, a city, an organization, a department and a product name.
The country code must not be longer than two letters such as AT. For the country code, see DigiCert Country Codes
CN Name
Common name of the certificate. This is the host name (domain name) of the server. The CN names of the root and host certificates must not be same.
Do not use an IP address for the CN Name.
Role/User (optional)
The text from the field role/user is used to set the roleOccupant (WinCC OA user) property of a certificate. If the field is left empty, the roleOccupant (WinCC OA user) property of a certificate will not be set. SSA evaluates the roleOccupant field in the TLS Certificates in order to authenticate a WinCC OA user.
The Role/User must be a WinCC OA user name. The user is a property of a certificate and is used to authenticate the user in the Server-side Authentication for Managers . Note that you need to generate a dedicated certificate for each user you want a manager to run as.
In order to create a certificate for a specific user, enter the WinCC OA user name in the Role/User (optional) field. When you, for example, created a default standard project via the user administration, use the right ROOT "root-cert.pem" certificate as well as the corresponding key when creating new user-specific certificates. You can find the right ROOT "root-cert.pem" certificate as well as the corresponding key "root-privkey.pem" in the directory that you specified for the certificates when creating the project. See chapter Create project
The root CA and the host certificate are indistinguishable from the system and thus the positions for the issuer (Issued by)
and for the host (Issued to) can no longer be distinguished from the system. At this point, the system reacts within Windows
with a warning message and a corresponding note. Therefore, the organization names of the host and root certificate must be different!
DNS Names
Domain of the web server, e.g. www.winccoa.com. You can specify several names by using the button on the right . Use this field for secure certificates for the HTTP server, MXProxy and SSA. Otherwise the browser will show an error message of not secure certificates for the HTTP server.
Note that the error message is only shown for the HTTP server by the browser.
Create
Creates the new host certificate and host keyfile inside the destination folder. For information about the certificate types and file extensions, see chapter Types of Certificates
Free Certificate
Certificate for the HTTP Server
Certificate for the MXProxy