Root Certificate

Open the panel for SSL Certificates via System Management > Communication > SSL Certificates.

Figure 1. Root Certificate

The panel is divided into following sections:

Root Certificate

Path to the Root Certificate Authority certificate that is being used to sign the host certificate.

In the certificate panel the root certificates and host certificates are created in the selected directory (default: config).

The Desktop UI copies the certificates to the cache of the client.

Root Private Key file

Path to the private key file that is being used for the host certificate. This key is only required for creating the Root Certificate Authority certificate and public host certificates. WinCC OA does not need this file to authenticate the manager and the connections.

Restriction: The project name may not contain any special characters ( / \\ " ? < > * | : ) or dots .

Password

Is used to enter and verify the password for the root keyfile. The password has been assigned during the creation of the root keyfile.

Create

Opens the "Root Certificate" Dialog (see below) which allows to create a new root certificate. We recommend creating one CA/root certificate per project. All host certificates must be signed with this one CA/root certificate.

SSL Root certificate

Figure 2. Create Root Certificate

The Panel Root Certificate allows to create a new root certificate. A root certificate is required to create host certificates.

Note: Only one root certificate is required per a WinCC OA project. Create a root certificate and use it to create host certificates in your project.

Certificate type

The certificate type defines the name of the created certificate. Following options are available:

Destination path

Path where the root certificate is created.

Name

The name is used to identify the root certificate.

Password

Password that is used to secure the root keyfile. This password is required for creating host certificates.

Expiration date

Enter the expiration date of the certificate.

Note: Note that a certificate has an expiration date and must be renewed before it expires! If you created the certificate yourself, renew the certificate. If a certificate was created by an external CA, the certificate can only be recreated or renewed by the external CA.

With a root CA, the expiration date can be very far in the future. Reduce the time for host certificates since the security requirements must be met on the plant. In practice, these are often given a term of one year. The plant operator must be aware of this and define processes so that the certificates created are exchanged in time.

A description on how to renew an expiring or already expired certificate can be found within the Security Guideline.

Additionally, you can enter information such as a country code, a province, a city, an organization, a department and a product name.

Note: The organization name of the host certificate and the root certificate must be different.

Common Name (CN)

Common name of the root certificate. This is the host name (domain name) of the server. The common names of the root and host certificates must not be same.

CAUTION: Do not use an IP address for the CN Name.

Create

Creates the new root certificate and root keyfile inside the destination folder. For information on the certificate formats, see chapter Types of Certificates

CAUTION: In the following root CA certificates are created for all three different features: SSA, HTTP Server and MxProxy. These figures are only examples for all specific types. HOWEVER. YOU MUST ONLY CREATE ONE ROOT CA CERTIFICATE PER PROJECT, REGARDLESS OF THE NUMBER OF THE FEATURES. USE THIS ROOT CA FOR ALL FEATURES.
Created HTTP Root Certificate as well as the Root Key File:

root-certificate.pem and root-privkey.key

Created MxProxy Root Certificate as well as the Root Key File:

root-cert.pem und root-key.pem

Created Free Root Certificate as well as the Root Key File:

SSA_root.crt und SSA_root.key