Types of Certificates

Filebased certificates

WinCC OA allows creating certificates that can be used for WinCC OA Features. The default certificates are located in the /config directory of the WinCC OA project and must be replaced by own PKI certificates in order to guarantee a secure communication/authentication.

For "How to create certificates" - see the chapters Panel for SSL Host Certificates, HTTPS (SSL Connections) as well as Root Certificate & the Trusted Certification Authorities for Browsers for the HTTP Server, the chapter WebView.ewo Certificate Handling for the webView.ewo and OPC UA Certificates for the use OPC UA certificates.

Filebased certificates can be used

for the Server-side Authentication for Managers
for the Multiplexing Proxy
for the HTTP Server
- The HTTP certificates are used for Mobile UI Application, ULC UX, NodeRED and Dashboard
for the WebView.ewo
for the Reporting Manager and
for OPC UA
S7 Driver
Video Feature

WindowsCertStore

Selected features of WinCC OA can access certificates stored in the Windows Certificate Store.

Usage of the Windows Certificate Store is documented in section Windows Certificate Store. You can open the Windows Certificate Store via the start menu by typing "cert" in the search field. See also chapter Windows Certificate Store.

Also WindowsCertificateStore certificates can be used

for the Server-side Authentication for Managers and
for the Multiplexing Proxy

Certificate File Format

The certificate file extension used by WinCC OA features is *.pem. This is the most commonly used format for certificates. The .crt file extension is also a PEM format but with the difference that the certificate can be viewed under Windows.

Privacy Enhanced Mail (PEM) files are a type of Public Key Infrastructure (PKI) file used for keys and certificates. PEM, initially invented to make e-mail secure, is now an Internet security standard.
PEM file is a container format (text-based, base-64 encoded) that may just include the public certificate or the entire certificate chain (private key, public key, root certificates).
Is a PEM file the same thing as a CRT file? NO! A PEM file is a container format that can hold different types of encoded data, such as certificates, private keys, and certificate chains (so using “.crt” only works if the content is a certificate. It does not work if it contains a key only).

The most used file extensions used for .pem are .cer, .crt, .pem or .key (used for the private key).

The following default certificates are created with the Standard project option - see chapter Create Project.

CAUTION: The certificate files for MProxy and Web Server must be in .pem format to be readable! For the MXProxy you can also use Windows certificate store certificates.

CAUTION: The "Private Key" must not be shared with others and must be kept in a very safe place.

Table 1. WinCC OA Default Certificates
Feature	Certificate/Public key	Private Key
SSA	user-cert.pem	user-key.pem
MXProxy	host-cert.pem	host-key.pem
HTTP Server	certificate.pem	privkey.pem
Root Certificate (Root CA)	root-cert.pem	root-privkey.pem

The certificates contain the "Public key" as well many other fields like Issuer, Valid from, Valid to etc.