I'm having problems getting the Desktop UI working with certificates in the Windows Certificate Store.
I have created my own certificates with the panels from WinCC OA (for testing, on production the customer will provide his own certificates).
I have a root CA and one HTTP and one MXPROXY certificate (mxproxy is for use on a dedidated webserver with just the httpserver and the mxproxy running but I'm having problems with just a http server. For now it is not used).
Setup 1:
- One Server running the WinCC OA project and the HTTP server (webclient_http.ctl; MXPROXY = NONE)
- One Client with just the Desktop UI installed
If I just copy the certificates in the config folder I can connect without problems/warnings.
If I try to use the certificate store I get a popup saying:
Code: Select all
There were errors during the setup of the secured connection to [server]:
- The host name did not match any of the valid hosts for this certificate
- The issuer certificate of a locally looked up certificate could not be found
- No certificates could be verified1. The root ca in "Trusted Root Certification Authorities" (importing just the .cer file)
2. I combined the HTTP cert and key into a .pfx file using openssl.
3. I added the registry entry "forcekeyprotection" with the value 0
4. I imported the http certificate into the Personal store with the option to export the key. If I open the imported certificate it shows a private key and that the cert chain is ok.
5. On the client I only had the root ca imported at first but later also imported the certificate from the http server (is this required?).
6.My config on the server:
Code: Select all
securityMode = "winCert"
winCertSearchBy = "SHA1"
winCert = "MACHINE:MY:8B 98 F4 ..."
winRootCA = "MACHINE:ROOT:A7 EB 99 ..." Btw.: is it neccessary to add the spaces for the key, or can I just copy the thumbprint without the spaces?
Is there anything I'm missing, or is there anything I can do to analyze the problem further? The log does not show anything helpful besides saing the secured connection could not be established.
Looking at the help and other sources (e.g. Security Guideline for 3.18) it is not really clear to me if the http server supports the certificate store. In some entries it looks like it should work (even recommended on page 192 of the security guidelines) and in others it is not (like the page "Festures that use Certificates" in the online help, were one filebased certificate is mentioned.)
Used version: WinCC OA 3.18 P006
