This applies to features such as our Web/HTTP Server, the Multiplexing Proxy (MXProxy), OPC UA Server/Client or the IEC 60870-S-104 driver, for instance.
The ready-to-use certificates are convenient for our customers. Please note, it is important to remember that they are not appropriate for use in production environment but rather to provide a guideline to customize to your needs. In accordance with our online help and WinCC OA training courses, we advise to use them only in test environments. The ready-to-use certificates must not be used in productive plants or environments.
Self-created certificates not only provide a much higher level of security for you, but if you are working witholder versions of WinCC OA (not in mainline support), the provided default certificates will expire in 2023. This poses a potentially severe problem, as expired certificates mean that communication cannot be (re-)established for projects or user interfaces which are (re)started. Already running communication will not be affected immediately though.
Which projects will be affected?
- Projects running WinCC OA version 3.12 up to 3.16.
- Projects created using WinCC OA version 3.12 to 3.16 and have upgraded the project version along with WinCC OA runtime to a newer/current version.
We strive to ensure all projects are as secure as possible. However, the overall security of the project, facility and plant is the responsibility of the operating entity – you the customer. We have provided an extensive guideline with a closely followed security by default approach within the IEC 62443 product certification.
Note this will affect WinCC OA product versions which are no longer in mainline support. Please contact your local sales team or order directly from Siemens mall to upgrade your WinCC OA project to a current supported version. Current versions improve the level of security, as older versions will no longer receive updates / security fixes.
Whilst newer WinCC OA versions contain default certificates with a longer expiry date, these certificates are not intended for production environment and must be replaced with custom certificates as soon as possible. Bear in mind, upgrading your existing projects which were created on older WinCC OA versions is not a sufficient solution to having a secure certificate.
When will the certificates expire?
The major expiration dates of certificates that should be considered are the following (dd/mm/yyyy):
• OPC UA Server/Client: 04.08.2023
• Multiplexing Proxy: 07.08.2023
• HTTP Server: 31.12.2023
• Further detail can be found in the table below
What should I do next?
Below are some options with the most recommended option first:
- Exchange the default certificates with your own ones
This is the course of action we urge you to take from the beginning.
If you name your self-generated certificates identically to the default WinCC OA certificates and overwrite them, they will be deployed automatically, e.g., for the UI clients. We do not recommend to do so in the long run, as individually named certificates should be used, but it presents a solid short-term solution to speed up deployment.
Please refer to the detailed description or the online help on how to create your own certificates.
Connected WinCC OA systems or Client/Server connections need to have their certificates replaced at the same time to be able to communicate with each other.
Please keep in mind to take precautions concerning certificate expiration even if you create your own by giving them an extended validate time range.
- Use default certificate files from newer versions
This means using the default certificates included in newer WinCC OA version (>3.16) to replace the existing ones in your project/installation, as these have a much longer expiration date.
Please note that this must not be used as a permanent solution but can act as an intermediate remedy until you create your own certificates.
Connected WinCC OA systems or Client/Server connections need to have the certificates replaced at the same time to be able to communicate with each other.
You can find these newer certificates here: Default certificates v3.19
- Setting the sslVerifyTime config entry to 0
Please note that this must not be used as a permanent solution but can act as an intermediate remedy until you create your own certificates. As this functionality was only introduced in version 3.15, it will only work if your project is running on this version or higher, and this solution is not applicable for driver certificates.
Where can I get further help?
If you have any further questions, please get in touch with our support team who will be happy to help with general questions.
Your WinCC OA Team
|File name certificate
|File name private key
|TLS & MXProxy
|ETM root CA
|OPC UA Client
|OPC UA Server
Table 1: Overview of components and their respective certification expiration dates of standard ETM certificates