SSL certificate for DesktopUI connection

eduardhc · Post by **eduardhc** » Mon Sep 13, 2021 4:00 pm

We're trying to replace default SSL certificates with our own ones before deploying the project to the customer. So far, we've replaced host-cert.pem, host-key.pem and root-cert.pem files in project's config folder with new root & host certificates generated using the standard OpenSSL toolchain.

We've also added the following lines to configuration file and the project seems to start just fine (not sure if needed):

Code: Select all

securityMode = "cert"
sslCertificate = "config/host-cert.pem config/host-key.pem config/root-cert.pem"

However, we are observing that, when connecting to the project via DesktopUI client, the SSL certificate received is not the new one but the default one provided by ETM. We have tried adding the same lines to the [webClient] section of the config file, but this doesn't seem to make any difference.

By adding a "-dbg all" to the manager starting web_client.ctl, I can see the following lines in the log file:

Code: Select all

WCCOActrl    (3), 2021.09.13 15:35:06.436,      WORK,   OaFileSys::fileExists found file: "/srv/synoptics/current/config/certificate.pem"
WCCOActrl    (3), 2021.09.13 15:35:06.436,      WORK,   OaFileSys::fileExists found file: "/opt/WinCC_OA/3.18/config/privkey.pem"

So, if I understand it correctly, WinCC-OA is loading certificate from project's certificate.pem file (which I could certainly replace, just as done for the others), but it's instead using always a private key file from default WinCC-OA installation, which totally ruins my attempt to use a custom certificate. Obviously, I don't want to replace base private key from WinCCOA, as who knows what could be broken by that...

¿How can we specify the certificate & key files to use for desktop UI access? By following the logic, this shall be done via the securityMode / sslCertificate settings in [webClient] section, but those seem to be ignored by the webclient_http script.

For context, we are using WinCC-OA v3.18. Project runs headerless in a Linux server, and users connect to synoptics by using DesktopUI client from Windows 10 PCs.

gschijndel · Post by **gschijndel** » Fri Oct 08, 2021 3:59 pm

The webserver also loads the private key from the project if it is there.
The webserver uses the fixed file names 'certificate.pem' and 'privkey.pem' and are used for the HTTPS communication.
The other certificate files (host-cert.pem, host-key.pem and root-cert.pem) are used for the WinCC OA communication with remote managers.
The lines did not have to be added to the configuration, since these values are used by default.

eduardhc · Post by **eduardhc** » Tue Jan 25, 2022 10:58 am

Ok, thanks for the heads-up (and sorry for taking so long in answering you, I totally forgot about this topic...). So, if I understands it correctly, I should also copy my certificate and key file as 'certificate.pem' and 'privkey.pem' files inside project's config folder, and that's it.

Thank you very much, I'll give it a try as soon as possible.

Best regards.

Bugs / Problems