Create, Convert and Import Multiplexing Proxy Certificates

This example describes how to create WinCC OA certificates for the Multiplexing Proxy via the WinCC OA panel, how to convert them into Windows Certificate Store format and how to import them into Windows Certificate Store

In order to save and manage the WinCC OA certificates in the MMC, the certificates created via the WinCC OA Panel for SSL Certificates must be converted into the Windows certificate format PKCS12 first.

After creating certificates via Panel for SSL Certificates, use the following openSSL commands in order to create certificates.

  • For the HostCertificate execute the following command in the directory where you saved the certificates.
openssl pkcs12 -export -in host-cert.pem -inkey host-key.pem -out ProxyHostCert.pfx
CAUTION:

Note that the Windows registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\forcekeyprotection must be set to 0 so that the certificates for the Multiplexing Proxy can be used. Open the registry via the regedit command and add the entry or change the default value 2 to 0. Furthermore, note that certificates that were imported before the entry was set, must be reimported. The registry entry is by default 2 due to security reasons (key protection for keys that are saved on the computer).

Figure 1. Command Prompt - openSSL Command
  • Open the Microsoft Management Console (MMC) as administrator in the command prompt by entering mmc.
  • In the "File menu" click on "Add or remove Snap-ins".
  • Then select the certificates and the computer account.
    Figure 2. Windows MMC - Select Certificates
Figure 3. Windows MMC - Select Computer Account
Figure 3. Windows MMC - Select Local Computer
  • Click on "Finish" and OK.

  • Import the certificates created in the first step as follows:

Figure 5. Import Certificates - Step 1
Figure 6. Import Certificates - Step 2
Figure 7. Import Certificates - Step 3
Tick the checkbox "Mark this key as exportable. This will allow you to back up or transport your keys at later time". This option is required for the Multiplexing Proxy!
Figure 8. Import of Certificates - Step 4
  • Select the Certificate Store "Personal" and finish the import.
    Figure 9. Import of Certificates - Step 5
Figure 10. Import of Certificates - Imported Host Certificate
  • Since the certificate was stored in the computer account, the private key can no longer be read by a user by default.

    This means that when a logged in user starts a WinCC OA project, the private key cannot be read.

    Additional steps are required to resolve this issue:

    • Right click on the certificate
    • In the combo box, select All Tasks -> Manage Private Keys
    • Assign read rights for the private key to the group the user belongs to.
  • Import .pem root certificate into the "Trusted Root Certification Authority"
    Figure 11. Import of certificates - Import root Certificate
  • This example shows a Config file for a Single System Configuration:

The Proxy and the Server are deployed on the same host. The Client (on a separate host) communicates with the Server via the Proxy.

Note:

This is the USER store and the certificates can only be used by the one user. With MACHINE account, all users can use the certificates.

  • Set the config entries as follows:

Figure 12. Server Config File - Use a Certificate via the Name in the Config File

Figure 13. Client Config File - Use a Certificate via the File Name in the Config File