How could I create my own mxProxy and http SSL certificates to communicate with WinCC OA?
In WinCC OA we differ between 2 types of SSL certificates for Proxy and Web-Client communication.
In this example we create a root and a host certificate with both types and establish a connection to a remote Web-Client project.
The SSL certificates will be created by usage of the SSL Certificates panel from the WinCC OA installation.
Please note: The provided ETM default certificates must not be used in productive environments!
1. Open the SSL Certificates panel on your WinCC OA server machine via SysMgm Tab: Communication
2. Create HTTP root certificate
a. In Frame Root certificate click: “Create” and fill following data:
Certificate Type : “Certificate for HTTP-server”
Destination Path : Select config folder from you actual project
Root keyfile password : Type a password of your choice, for example: “MakeYourProjectC4secure.KeepItSave!”
Expiration in : Select the lifespan of this certificate. Our default value is approximate 3 years. According to our requirements for security you should or could define a higher or lower lifetime
Country Code : for example: “AT”
Province : for example: “Burgenland”
City : for example: “Eisenstadt”
Organization : for example “ETM CA”
Department : for example “RD01”
IP-Address : This is the CN Name used in your certificate, for example you could use your hostname: “eitst005w7.etm-ag.com”
b. Click the “Create” button
This will create 2 new files to your config folder:
root-certificate.pem this is your public root certificate
root-privkey.key This is your private root key who keeps the secret for SSL encryption. This CA files are used to sign your host certificates. Please keep it in a safe and secure place. Do not lose the passphrase, as without passphrase you can not renew, revoke, or create host certificates without it.
c. Close the root-certificate creation panel
3. Create HTTP host certificate
a. ensure that the Input fields in the “Root certificate” frame are filled with the correct files and the correct password
b. Certificate Type : Select “Certificate for HTTP-server
c. Destination path : select you config folder
d. Expiration in, Country Code, Province, City, Department, IP-Address : Use the same data from the root certificate creation
e. Organization : ATTENTION!!! You have to enter a different name than you have entered for the root certificate. For example you can use “ETM” in the host certificate while you used “ETM CA” for the root certificate. This different name is necessary due to the requirements given in the SSL standard. Otherwise you create a certificate which will be evaluated as altered or corrupted
f. Click “Create Button”
g. This will create 2 new files:
certificate.pem
privkey.pem
4. Create certificates for mxProxy
a. Repeat these steps for the WCCILproxy certificates. This will create following files to your config folder:
root-cert.pem this is your mxProxy certificate
root-key.pem this is your root key for the proxy communication who keeps the secret for SSL communication
host-cert.pem your host certificate for the mxProxy
host-key.pem your key file for the mxProxy
5. Restart the entire project with this created certificates and ensure that everything started correctly
6. Establish Web-Client communication
a. Start the “webclient_http.ctl” CTRL script on your WinCC OA server machine
b. From you client navigate to address form your WinCC OA server via Internet Browser (Chrome, IE or Firefox) and Install the Plug In if necessary.
ETM recommends to load the root CA certificates of the project into the Trusted Certificate store of your browser. This makes the browser aware of any available certificates for your project. Alternatively you can also just accept the server certificate for the session.
c. When the project cache folder (default folder for WinCC OA Web Client is [Userfolder]\.wincc_oa-cache) was created ensure that the mxProxy certificate files are available on your config folder from the cache:
host-cert.pem
host-key.pem
root-cert.pem
d. Restart the browser and navigate to the WinCC OA server address