Host certificate

This panel allows you to create new certificates for your hosts. When the default certificate names are used, e.g. host-cert.pem and the certificates are generated automatically, they are also copied automatically to the host. If you create certificates yourself, these must be copied to the corresponding hosts for further usage.

The following certificate types options are available:

Note:

Note that the file extensions "crt" and "key" are automatically added.

  • Free certificate - Allows to use a custom name. Via this option you can create keys and certificates with a user-defined name. Use this option for the Server-side Authentication for Managers.

  • Certificate for the WCCILproxy - Certificate is named according to the WCCILproxy requirements.

  • Certificate for the HTTP-server - Certificate is named according to the HTTP Server requirements. The HTTP certificate is also used for the following features: Mobile UI Application, ULC UX, NodeRED and Dashboard.

    CAUTION:

    So that the certificates can be used with the Chrome browser, enter in addition to the obligatory certificate fields: Certificate type, Destination path, Certificate/key name and Expiration date, also the "DNS Names".

For creating a host certificate an existing root certificate is required - see chapter Root Certificate Authority. The host certificates are created via the Host Certificate section:

For the created certificates, see the end of this chapter. Note that depending on the certificate type, different certificates are created. See also the chapter Types of Certificates
Figure 1. Create Host Certificate

Host certificate section

Certificate type

Note:

The destination path, name and expiration date are mandatory fields.

The certificate type defines the name of the created certificate. Following options are available:

Destination path

Path where the host certificate is created.

Name

Name that is used for the host certificate. This is the file name for the certificate and the key. This field is used to identify a certificate.

Expiration date

Enter the expiration date of the certificate.

Note:

Note that a certificate has an expiration date and must be recreated in case of expiration! If you created the certificate yourself, recreate a certificate. If a certificate was created by an external CA, the certificate can only be recreated by the external CA.

A description on how to renew an expiring or already expired certificate can be found within the Security Guideline.

Additionally, you can enter information such as a country code, a province, a city, an organization, a department and a product name.

CAUTION:

The country code must not be longer than two letters such as AT. For the country code, see DigiCert Country Codes

CN Name

Common name of the certificate. This is the host name (domain name) of the server. The CN names of the root and host certificates must not be same.

CAUTION:

Do not use an IP address for the CN Name.

Role/User (optional)

The text from the field role/user is used to set the roleOccupant (WinCC OA user) property of a certificate. If the field is left empty, the roleOccupant (WinCC OA user) property of a certificate will not be set. SSA evaluates the roleOccupant field in the TLS Certificates in order to authenticate a WinCC OA user.

The Role/User must be a WinCC OA user name. The user is a property of a certificate and is used to authenticate the user in the Server-side Authentication for Managers . Note that you need to generate a dedicated certificate for each user you want a manager to run as.

In order to create a certificate for a specific user, enter the WinCC OA user name in the Role/User (optional) field. When you, for example, created a default standard project via the user administration, use the right ROOT "root-cert.pem" certificate as well as the corresponding key when creating new user-specific certificates. You can find the right ROOT "root-cert.pem" certificate as well as the corresponding key "root-privkey.pem" in the directory that you specified for the certificates when creating the project. See chapter Create project

Note:

The root CA and the host certificate are indistinguishable from the system and thus the positions for the issuer (Issued by)

and for the host (Issued to) can no longer be distinguished from the system. At this point, the system reacts within Windows

with a warning message and a corresponding note. Therefore, the organization names of the host and root certificate must be different!

DNS Names

Domain of the web server, e.g. www.winccoa.com. You can specify several names by using the button on the right . Use this field for secure certificates for the HTTP server, MXProxy and SSA. Otherwise the browser will show an error message of not secure certificates for the HTTP server.

Note that the error message is only shown for the HTTP server by the browser.

Create

Creates the new host certificate and host keyfile inside the destination folder. For information about the certificate types and file extensions, see chapter Types of Certificates

Free Certificate

Figure 2. SSL Host Certificates - Free Certificate
Figure 3. Created Free Host Certificate ([name].crt) and Host Key File ([name].key)

Certificate for the HTTP Server

Figure 4. SSL Host Certificate - Certificate for the HTTP Server
Figure 5. Created HTTP Host Certificate (certificate.pem) and Host Key File (privkey.pem)

Certificate for the MXProxy

Figure 6. SSL Host Certificates - Certificate for the MxProxy
Figure 7. Created MxProxy Host Certificate (cert.pem) and Host Key File (key.pem)