Certificates

FAQ - Certificates

Whom should I inform about the current issue with the default certificates in WinCC OA?

  • Everyone responsible for the operation, the security or the engineering of a project.
  • System Integrators?

    Yes. Even if they are no longer responsible for certain projects.

    They should be aware that they should create project-specific certificates in every – especially new – projects and not use the provided default ones, especially not in production.

  • End customers?

    Yes, as well. Eventually they are responsible for the security of their operations.

    By using our default certificates - which are mainly provided for convenience and to increase security after installation - the level of security is reduced.

How can I avoid the security error messages caused by self-signed certificates for the WebClient Plug-In in Internet Explorer?

WinCC OA provides self-signed certificates to establish the SSL communication between server and clients.

These certificates are not trusted by any official certification authority and this means that a trusted CA must be created and imported manually.

Attention: Those provided ETM default certificates must not be used in productive environments!

For this trusted CA it is necessary to use the host name of the WebClient server (e.g. WinCCOA_Webserver) as CN Name parameter to create the root and the host certificate on the WinCC OA server machine. This is necessary to avoid this security error after navigating to the URL of the WebClient server: “There is a problem with this website’s security certificate”

This will avoid the security problem if you use http://WinCCOA_Webserveras the URL address within IE. Please note that any other attempt e.g. using the IP address instead of the hostname, will result in the same certificate error. This means that only a single valid address could be used as the URL for navigation.

In a 2nd step it is necessary to import the created root certificate into the “Trusted Root Certification Authorities” store. There are 2 alternative solutions to import this certificate:

1st alternative solution - Manual installation:

  1. Copy the root-certificate.pem to the client machine and rename it to root-certificate.crt
  2. Open this file with a double click.
  3. Click the “Install Certificate…” button
  4. Select “Place all certificates in the following store and browse to “Trusted Root Certification Authorities”
  5. Click Next and wait until the installation is completed.
  6. Restart the browser

2nd alternative solution - Installation Inside Internet Explorer:

  1. Browse to the site whose certificate you want to trust. (This is your WebClient e.g.: http://WinCCOA_Webserver)
  2. When told “There is a problem with this website's security certificate.”, choose “Continue to this website (not recommended).”
  3. Select Tools/Internet Options.
  4. Select Security/Trusted sites/Sites.
  5. Confirm that the URL matches and click on "Add" and then on "Close"..
  6. Close the “Internet Options” dialog box with either “OK” or “Cancel”.
  7. Refresh the current page.
  8. When told “There is a problem with this website's security certificate.”, choose “Continue to this website (not recommended).”
  9. Click on "Certificate Error" on the right in the address bar and select "View Certificates".
  10. Click on “Install Certificate...”, then in the wizard, click “Next”.
  11. On the next page select “Place all certificates in the following store”.
  12. Click “Browse”, select “Trusted Root Certification Authorities”, and click “OK”.
  13. Back in the wizard, click “Next”, then “Finish”.
  14. If you get a “Security Warning” message box, click “Yes”.
  15. Close the message window with "OK".
  16. Select Tools > Internet Options.
  17. Select Security > Trusted sites.
  18. Select the URL you just added, click “Remove”, then “Close”.
  19. Now close all running instances of IE and restart IE.
  20. The site’s certificate should now be trusted.

Regarding the issue with the default certificates: Will the system integrators make this adjustment free of charge?

This is not for us to decide and depends mainly on the agreement between the end customer and the integrator, e.g. a maintenance contract. What we can say is that the standard certificates must not be used in the productive environment.

For the issue with default certificates: will system integrators make the certificate adjustment free of charge?

That is not for us to decide and will mainly depend on the agreement between end customer and integrator e.g. a maintenance contract. It is recommended that the generic certificates should never be used in the productive environment in the first place.

Can I use the provided generic ETM SSL certificates for secure communication?

No!

ETM provides several default, self-signed SSL certificates for secure communcation. These are for convenience at startup and/or for development purposes only. Please note that those certificates also have an expiration date.

You must not use them in productive environments.

Please create your own certificates via System Management > Communication > SSL certificates. See product help for further details. We also recommend to read our security guide line.

That applies to any feature where secure communication is used e.g. https communication with Desktop or Mobile UI, ULC UX, but it also refers to MXProxy or OPC UA communication.

What is the easiest/fastest solution to the current default certificate issue?

First: Please have a closer look at our certificate issue article in SIOS.

While the default certicates must not be used in productive environements the replacement of them may act as a fast, intermediate solution until you have created and rolled out your own certificates.

  1. Download the default certificates of the newer versions of WinCC OA here.

    They have a much longer expiration date than the ones that were available in WinCC OA versions 3.12 through 3.16. But even these will expire in 2050, so please take the time to create your own certificates AND set up a replacement procedure for these as well.

  2. Extract the files from the archive.
  3. Search for the respective files in your project directory and just replace the files with the ones from the archive.
  4. Then restart your project so that the new certificates take effect

Where can I find more information on default certificates in WinCC OA?

There are no problems with the supplied standard certificates themselves.

The issue is that some customers use them in production environments.

This is not allowed as we wrote in our product help or advised in our basic trainings and they should be replaced by your own certificates.

These default certificates - in older WinCC OA versions (3.12-3.16) - expire in 2023 and block communication.

For more information, see:

Siemens Online Support or WinCC OA Portal

How can I create my own mxProxy and http SSL certificates to communicate with WinCC OA?

In WinCC OA, we differentiate between 2 types of SSL certificates for MX Proxy and Web Client communication. In this example, we create a root and a host certificate with both types and establish a connection to a remote Web Client project. WinCC OA creates the SSL certificates via the SSL Certificates panel of the WinCC OA installation.

Attention: The provided ETM default certificates must not be used in productive environments!
  1. Open the SSL Certificates panel on your WinCC OA server machine via the System Management > Communication tab
  2. Create an HTTP root certificate
    1. Click "Create" in the Root certificate frame and enter the following data:
      • Certificate Type: “Certificate for HTTP-server”
      • Destination path: Select the config folder from your current project
      • Root keyfile password: Enter a password of your choice, for example "MakeYourProjectC4secure.KeepItSave!"
      • Expiration in: Select the validity period of this certificate. Our default value is approximately 3 years. Depending on our security requirements, you should or can select a higher or lower lifespan.
      • Country Code: for example: “AT”
      • Province : for example: “Burgenland”
      • City : for example: “Eisenstadt”
      • Organization : for example “ETM CA”
      • Department : for example “RD01”
      • IP-Address : This is the CN Name that is used in your certificate, for example you could use your host name: “eitst005w7.etm-ag.com”
    2. Click the “Create” button

      This will create 2 new files in your config folder:

      • root-certificate.pem this is your public root certificate
      • root-privkey.key This is your private root key that keeps the secret of SSL encryption. These CA files are used to sign your host certificates. Please keep them in a safe and secure place. Do not lose the passphrase, as you cannot renew, revoke or create host certificates without a passphrase.
    3. Close the root-certificate creation panel
  3. Create HTTP host certificate
    1. Ensure that the Input fields in the “Root certificate” frame are filled in with the correct files and the correct password
    2. Certificate Type : Select “Certificate for HTTP-server
    3. Destination path : select you config folder
    4. Expiration in, Country Code, Province, City, Department, IP-Address : Use the same data from the root certificate creation
    5. Organization : CAUTION!!! You must enter a different name than the one that you entered for the root certificate. For example, you can use "ETM" in the host certificate, while you used "ETM CA" for the root certificate. This different name is due to the requirements of the SSL standard. Otherwise, you will create a certificate that will be evaluated as altered or corrupted
    6. Click “Create Button”
    7. This will create 2 new files:
      • certificate.pem
      • privkey.pem
  4. Create certificates for mxProxy.

    Repeat these steps for the WCCILproxy certificates. This creates the following files in your config folder:

    • root-cert.pem this is your mxProxy certificate
    • root-key.pem This is your root key for the proxy communication which keeps the secret for SSL communication
    • host-cert.pem your host certificate for the mxProxy
    • host-key.pem your key file for the mxProxy
  5. Restart the entire project with this created certificates and ensure that everything started correctly
  6. Establish Web-Client communication
    1. Start the “webclient_http.ctl” CTRL script on your WinCC OA server machine
    2. From you client navigate to address form your WinCC OA server via Internet Browser (Chrome, IE or Firefox) and Install the Plug In if necessary.

      ETM recommends loading the root CA certificates of the project into the trusted certificate store of your browser. This makes the browser aware of all available certificates for your project. Alternatively, you can also accept only the server certificate for the session.

    3. When the project cache folder (default folder for WinCC OA Web Client is [user folder]\.wincc_oa-cache) has been created, make sure that the mxProxy certificate files are available in your config folder from the cache:
      • host-cert.pem
      • host-key.pem
      • root-cert.pem
    4. Restart the browser and navigate to the WinCC OA server address

How do I get the required knowledge on the current default certificate issue?

First please have a look at this information.

We strongly recommend that those responsible for security/operations in a project familiarize themselves with certificates in general, as they play an important role in security standards.

And even independently of WinCC OA.

We are aware that certificates are generally a rather complex matter.

That is why we help you with a detailed description in this presentation or in our product help.

If you would like to delve deeper into the topic of security or acquire the necessary knowledge, we also offer a special security training.

If all this is not feasible for you or time does not permit, we also offer the - not recommended - emergency solution of simply replacing the existing default certificates with newer default certificates.

This means that just a handful of files need to be replaced in the file system of the project.But keep in mind that these will also expire at some point, even if it is in the year 2050.

These files are available here.

How can I avoid the security error messages caused by self-signed certificates for WebClient Plug-In in Internet Explorer?

WinCC OA provides self-signed certificates to establish the SSL communication between server and clients.

These certificates are not trusted by any official certification authority and this means that a trusted CA must be created and imported manually.

Attention: Those provided ETM default certificates must not be used in productive environments!

For this trusted CA it is necessary to use the host name of the WebClient server (e.g. WinCCOA_Webserver) as CN Name parameter to create the root and the host certificate on the WinCC OA server machine. This is necessary to avoid this security error after navigating to the URL of the WebClient server: “There is a problem with this website’s security certificate”

This will avoid the security problem if you use http://WinCCOA_Webserver as the URL address within IE. Please note that any other attempt, e.g. using the IP address instead of the hostname, will result in the same certificate error. This means that only one valid address can be used as the URL for navigation.

In a 2nd step it is necessary to import the created root certificate into the “Trusted Root Certification Authorities” store. There are 2 alternative solutions to import this certificate:

1st alternative solution - Manual installation:

  1. Copy the root-certificate.pem to the client machine and rename it to root-certificate.crt
  2. Open this file with a double click.
  3. Click the “Install Certificate…” button
  4. Select “Place all certificates in the following store and browse to “Trusted Root Certification Authorities”
  5. Click Next and wait until installation is done
  6. Restart the browser

2nd alternative solution - Installation Inside Internet Explorer:

  1. Browse to the site whose certificate you want to trust. (This is your WebClient e.g.: http://WinCCOA_Webserver)
  2. When told “There is a problem with this website's security certificate.”, choose “Continue to this website (not recommended).”
  3. Select Tools/Internet Options.
  4. Select Security/Trusted sites/Sites.
  5. Confirm the URL matches, and click “Add” then “Close”.
  6. Close the “Internet Options” dialog box with either “OK” or “Cancel”.
  7. Refresh the current page.
  8. When told “There is a problem with this website's security certificate.”, choose “Continue to this website (not recommended).”
  9. Click on “Certificate Error” at the right of the address bar and select “View certificates”.
  10. Click on “Install Certificate...”, then in the wizard, click “Next”.
  11. On the next page select “Place all certificates in the following store”.
  12. Click “Browse”, select “Trusted Root Certification Authorities”, and click “OK”.
  13. Back in the wizard, click “Next”, then “Finish”.
  14. If you get a “Security Warning” message box, click “Yes”.
  15. Dismiss the message box with “OK”.
  16. Select Tools?Internet Options.
  17. Select Security?Trusted sites?Sites.
  18. Select the URL you just added, click “Remove”, then “Close”.
  19. Now shut down all running instances of IE, and start up IE again.
  20. The site’s certificate should now be trusted.

Whom should I inform about the current issue with the default certificates in WinCC OA?

  • Anyone who is responsible for the operation, the security, or the engineering of a project.
  • System Integrators?

    Yes. Even if they are no longer responsible for certain projects.

    They should be aware that they should create project-specific certificates in every - especially new - project and not use the default certificates supplied, especially not in production.

  • End customers?

    Yes, as well. Eventually they are responsible for the security of their operations.

    By using our default certificates - which are mainly provided for convenience and to increase security after installation - the level of security is reduced.