HTTPS (SSL Connections)

To use HTTPS following steps must be followed:

  1. Create a new WinCC OA project on the server.

  2. Extract the required certificate from the server:
    openssl s_client -connect localhost:443
  3. Import the received certificate to the main keystore:
    bin\keytool -import -file <path to file> -keystore lib\security\cacerts -alias
                                WinCC OA -storepass xxxx
  4. Connect via browser.

The server must have a certificate file, which tells the client with whom it talks. The certificate file must reside in a config directory and must have the name "certificate.pem". The format of the file is PEM.

Create a Certificate with a Certificate Authority

The first step is to choose an provider that will create the certificate (e.g. verisign.com). After entering the company-related data on the homepage, a CSR file (certificate signing request) and a private key are necessary.

  • To generate the a new private key open the Shell of the operating system, change directory to the /config directory of the project:
cd <project_path>/config

and enter the following command:

openssl genrsa 2048 > privkey.pem

  • The CSR file will be generated with the following command:
openssl req -new -key privkey.pem -out cert.csr –outform <format required by the provider>

Now you have to enter the following data:

  • Country (2 letter code, e.g. AT)

  • State/County/Region (e.g. Burgenland)

  • City/Locality (e.g. Eisenstadt)

  • Organization/Company (e.g. © ETM professional control GmbH 2022 )

  • Organizational Unit (optional, e.g. a particular department of the company)

  • Common Name: [host+domain name] (e.g. www.etm.at)

  • Email adress (leave empty)

  • Password (leave empty)

  • Optional company name (leave empty)

  • The generated CSR file must be transferred to the provider which creates the certificate and send it back. Now you have to import the received certificate into the /config directory of the project and a HTTPS connection to the server is possible. A cipher suite is used for the encryption.

Note:

If the error "no start line" occurs in the "certificate.pem" file, it is possible that there is a BOM (Byte order mark) at the start of the file. You have to open the file with an editor that can detect the BOM and remove it from the file.

Create a self-signed Certificate

Here a certificate is created manually. You can also use a panel - see chapter - Create SSL Certificates via Panel. Create the certificate type "Certificate for the HTTP Server".
  • In this example a private key (privkey.pem) is created.

  • Change directory to the /config directory of the project:

cd <project_path>/config

Create the root key

  • openssl genrsa -aes256 -out private/ca.key.pem 4096

  • Enter pass phrase for ca.key.pem: secretpassword Verifying - Enter pass phrase for ca.key.pem: secretpassword

Create the root certificate

  • Use the root key (ca.key.pem) to create a root certificate (ca.cert.pem). The root certificate must contain a long expiry date, e.g. 30 years. If the root certificate expires, the certificates signed by the CA become invalid.

    openssl req -config openssl.cnf
    -key private/ca.key.pem
    -new -x509 -days 10950 -sha256 -extensions v3_ca
    -out certs/ca.cert.pem

Verify the root certificate

  • openssl x509 -noout -text -in certs/ca.cert.pem

Generate a Private Key

  • To generate a new private key, enter the following command:

openssl genrsa 2048 > privkey.pem

  • This file will be stored in the /config directory of the project. Enter the following openSSL command to create a new self-signed certificate:

openssl req -new -x509 -key privkey.pem -out certificate.pem -days 1095

1095 days are 3 years (defines the validity period for the certificate).

Note:

The private key has to be RSA encrypted and base64 encoded in order to avoid certificate warnings.

  • After this, an interactive process is started, where the user must enter some information and confirm them using the Enter key. The "Common Name" is important for the HTTPS server - enter the IP address of the server. Otherwise the web browser will not be able to allocate the certificate to the server. For example:

========================== You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value. If you enter '.', the field will be left blank. Country Name (2 letter code) [AU]:AT State or Province Name (full name) [Some-State]:Burgenland Locality Name (eg, city) []:Eisenstadt Organization Name (eg, company) [Internet Widgits Pty Ltd]:ETM Organizational Unit Name (eg, section) []:. Common Name (eg, YOUR name) []:192.168.129.1 Email Address []:. ==========================

Subsequently, the certificate.pem file is created and stored in the directory entered earlier.