Home
Security
Go beyond the norm in cybersecurity.
Security Features
Maintaining the control over production and the processes in the application has the highest priority in automation. Even measures to prevent security threats must not affect this.
Certificates
Cryptography Next Generation (CNG) Certificates

Version Information
Release Notes, Update information, Certifications and Frequently Asked Questions.
Concepts
Your first step into modern and powerful process visualization.
Deployment
Topics you need to know before using WinCC OA.
Security
Go beyond the norm in cybersecurity.
- Security Features
  Maintaining the control over production and the processes in the application has the highest priority in automation. Even measures to prevent security threats must not affect this.
  - Authorization Concept
  - Certificates
    - Features that use Certificates
    - Types of Certificates
    - Config Entries for Certificates
    - Panel for Certificates
    - Required for the Use of Certificates
    - Basic Terms
    - Types of Certificates
    - Panel for SSL Host Certificates
    - Windows Certificate Store
    - WebView.ewo Certificate Handling
    - OPC UA Certificates
    - HTTPS (SSL Connections)
    - Root Certificate & the Trusted Certification Authorities for Browsers
    - Cryptography Next Generation (CNG) Certificates
      - CNG Provider - Architecture
        This chapter describes the architecture of WinCC OA with TLS and CNG integration.
      - CNG Provider - Configuration in WinCC OA
        This example shows a Single System Configuration in which the MxProxy and Server run on the same host, and a separate Client communicates via the MxProxy.
      - CNG Provider - Available Key Storage Providers in Windows
        This chapter describes Microsoft Base Cryptographic Providers
      - CNG Provider - Create Certificates
        This chapter describes how to create certificates using OpenSSL with the prime256v1algorithm.
  - Login
  - Login Framework
    The WinCC OA login framework provides a framework that is easy to extend. The WinCC OA login panels can be easily replaced by user-specific panels without having to re-implement the functionality.
  - Server Side Authentication
  - User-defined Login
  - Authentication via Kerberos, basics
    In a more and more networking world, a WinCC OA system could be exposed to different types of attacks. An unauthorized WinCC OA system could connect to the distribution manager or hackers could try to manipulate WinCC OA messages.
  - Basics on Encryption
  - Crypthographic Functions
- Multiplexing Proxy
  The WinCC OA Multiplexing Proxy Manager is used to increase the security of your WinCC OA projects.
- Continuous Monitoring
  The Continuous Monitoring feature of WinCC OA provides an interface for external tools to read and validate log and error messages of Security Events that were generated by the WinCC OA.
- Security Events in WinCC OA
- Siemens CERT Portal – Accessing Security Information for WinCC OA
  Learn how to access security advisories and updates relevant to WinCC OA through the Siemens ProductCERT portal by filtering for "WinCC OA".
- Further References
Engineering
Powerful tools for easy or complex engineering tasks.
Data Management
Classify, structure and archive your data.
Business Logic / Control
Endless possibilities in data processing for your projects.
Data Visualization
User interfaces, Trends and Reports for every purpose and device.
Southbound Interfaces
The process connection to the actual machines/sensors.
Northbound Interfaces
Your portal to the cloud or supervising systems.
Web Connectivity / Network Interfaces
Data exchange, APIs and web technologies
User Management
All about authorization, authentication and login-customization.
Availability
How to get your system uptime to the maximum.
Reporting
Create state of the art project reports without limits.
Addons
Useful tools and enhancements for special demands.
Reference Tables
Detailed and extensive content for special project adaptation.
Videos & Tutorials
Explore the capabilities of WinCC OA with our carefully selected collection of video tutorials and guides.
Documentation
Basic information about terms and functions within the documentation.
Support & Services
An experienced team of support agents, consultants and trainers are ready to facilitate active partnerships with our customers, so they can profit from our comprehensive service.
Disclaimer
A brief clarification of liability exclusions or legal notices.

Cryptography Next Generation (CNG) Certificates

This chapter gives an overview of how Cryptography Next Generation (CNG) support works in WinCC OA. It also includes detailed technical explanations and diagrams to help you understand better.

Microsoft's Cryptography API: Next Generation (CNG) is the modern Windows framework for handling all cryptographic tasks, like managing certificates and private keys. Many of these keys are kept in the CNG Key Storage Providers (KSPs), which follow strict security rules. One important rule is the non-exportability policy, which ensures that the private parts of the keys never leave the secure store.

Normally, OpenSSL cannot directly access the CNG KSP. This makes it hard to use Windows-managed certificates and keys in OpenSSL-based programs, such as WinCC OA. The new CNG Provider for OpenSSL solves this problem by creating a smooth connection between OpenSSL and Windows cryptographic services. It lets OpenSSL list, use, and work with CNG-protected keys without breaking their non-exportability rules.

What is an OpenSSL Provider?

An OpenSSL Provider is a component added in OpenSSL 3.0 as part of its new provider-based architecture. Providers enable OpenSSL to manage various cryptographic algorithms, key management systems, and other features. This flexible framework allows OpenSSL to work with external libraries, services, or hardware devices, making it more versatile and easier to extend.