Root Certificate Authority
Root Certificate Authority Certificate
Path to the Root Certificate Authority certificate that is being used to sign the host certificate.
In the certificate panel the Root Certificate Authority and host certificates are created in the selected directory (default: config).
The Desktop UI copies the certificates to the cache of the client.
Root Private Key file
Path to the private key file that is being used for the host certificate. This key is only required for creating the Root Certificate Authority certificate and public host certificates. WinCC OA does not need this file to authenticate the manager and the connections.
Password
Is used to enter and verify the password for the root keyfile. The password has been assigned during the creation of the root keyfile.
Create
Opens the "Root Certificate" Dialog (see below) which allows to create a new root certificate. We recommend creating one CA/root certificate per project. All host certificates must be signed with this one CA/root certificate.
SSL Root certificate
The Panel Root Certificate allows to create a new root certificate. A root certificate is required to create host certificates.
Certificate type
The certificate type defines the name of the created certificate. Following options are available:
-
Free certificate - Allows to use a custom name. Use the certificate for Server-side Authentication for Managers.
-
Certificate for the WCCILproxy - Certificate is named according to the Multiplexing Proxy requirements
-
Certificate for the HTTP-server - Certificate is named according to the HTTP-server and Reporting Manager requirements
Destination path
Path where the root certificate is created.
Name
The name is used to identify the root certificate.
Password
Password that is used to secure the root keyfile. This password is required for creating host certificates.
Expiration date
Enter the expiration date of the certificate.
Note that a certificate has an expiration date and must be renewed before it expires! If you created the certificate yourself, renew the certificate. If a certificate was created by an external CA, the certificate can only be recreated or renewed by the external CA.
With a root CA, the expiration date can be very far in the future. Reduce the time for host certificates since the security requirements must be met on the plant. In practice, these are often given a term of one year. The plant operator must be aware of this and define processes so that the certificates created are exchanged in time.
A description on how to renew an expiring or already expired certificate can be found within the Security Guideline.
Additionally, you can enter information such as a country code, a province, a city, an organization, a department and a product name.
The organization name of the host certificate and the root certificate must be different.
Common Name (CN)
Common name of the root certificate. This is the host name (domain name) of the server. The common names of the root and host certificates must not be same.
Do not use an IP address for the CN Name.
Create
Creates the new root certificate and root keyfile inside the destination folder. For information on the certificate formats, see chapter Types of Certificates
In the following root CA certificates are created for all three different features: SSA, HTTP Server and MxProxy. These figures are only examples for all specific types. HOWEVER. YOU MUST ONLY CREATE ONE ROOT CA CERTIFICATE PER PROJECT, REGARDLESS OF THE NUMBER OF THE FEATURES. USE THIS ROOT CA FOR ALL FEATURES.
Root Certificate for the HTTP Server
Root Certificate for the MxProxy
Root Certificate (Free Certificate) for SSA
