WinCC OA Security certificate Booster

Certificates play an important role in secure communication, acting like a passport to show and guarantee correct identities. Since security is key in WinCC OA, we provide several default certificates. Hence all security-related functionalities can be used for engineering immediately after installation.

This applies to features such as our Web/HTTP Server, the Multiplexing Proxy (MXProxy), OPC UA Server/Client or the IEC 60870-S-104 driver, for instance.

The ready-to-use certificates are convenient for our customers. Please note, it is important to remember that they are not appropriate for use in production environment but rather to provide a guideline to customize to your needs. In accordance with our online help and WinCC OA training courses, we advise to use them only in test environments. The ready-to-use certificates must not be used in productive plants or environments.

Self-created certificates not only provide a much higher level of security for you, but if you are working witholder versions of WinCC OA (not in mainline support), the provided default certificates will expire in 2023. This poses a potentially severe problem, as expired certificates mean that communication cannot be (re-)established for projects or user interfaces which are (re)started. Already running communication will not be affected immediately though.

Which projects will be affected?

  • Projects running WinCC OA version 3.12 up to 3.16.
  • Projects created using WinCC OA version 3.12 to 3.16 and have upgraded the project version along with WinCC OA runtime to a newer/current version.

We strive to ensure all projects are as secure as possible. However, the overall security of the project, facility and plant is the responsibility of the operating entity – you the customer. We have provided an extensive guideline with a closely followed security by default approach within the IEC 62443 product certification.

Note this will affect WinCC OA product versions which are no longer in mainline support. Please contact your local sales team or order directly from Siemens mall to upgrade your WinCC OA project to a current supported version. Current versions improve the level of security, as older versions will no longer receive updates / security fixes. 

Whilst newer WinCC OA versions contain default certificates with a longer expiry date, these certificates are not intended for production environment and must be replaced with custom certificates as soon as possible. Bear in mind, upgrading your existing projects which were created on older WinCC OA versions is not a sufficient solution to having a secure certificate.

When will the certificates expire?

The major expiration dates of certificates that should be considered are the following (dd/mm/yyyy):

• OPC UA Server/Client:  04.08.2023

• Multiplexing Proxy:  07.08.2023 

• HTTP Server:  31.12.2023

• Further detail can be found in the table below 


What should I do next?

Below are some options with the most recommended option first:

  1. Exchange the default certificates with your own ones
    This is the course of action we urge you to take from the beginning.
    If you name your self-generated certificates identically to the default WinCC OA certificates and overwrite them, they will be deployed automatically, e.g., for the UI clients. We do not recommend to do so in the long run, as individually named certificates should be used, but it presents a solid short-term solution to speed up deployment.
    Please refer to the detailed description or the online help on how to create your own certificates.
    Connected WinCC OA systems or Client/Server connections need to have their certificates replaced at the same time to be able to communicate with each other.
    Please keep in mind to take precautions concerning certificate expiration even if you create your own by giving them an extended validate time range.
  2. Use default certificate files from newer versions
    This means using the default certificates included in newer WinCC OA version (>3.16) to replace the existing ones in your project/installation, as these have a much longer expiration date.
    Please note that this must not be used as a permanent solution but can act as an intermediate remedy until you create your own certificates.
    Connected WinCC OA systems or Client/Server connections need to have the certificates replaced at the same time to be able to communicate with each other.
    You can find these newer certificates here: Default certificates v3.19
  3. Setting the sslVerifyTime config entry to 0
    Please note that this must not be used as a permanent solution but can act as an intermediate remedy until you create your own certificates. As this functionality was only introduced in version 3.15, it will only work if your project is running on this version or higher, and this solution is not applicable for driver certificates.  


Where can I get further help?

We highly recommend the 4-day security training, which covers the topic of certificates in depth . You can also order consulting hours via Siemens Mall to help you with the process above. 

If you have any further questions, please get in touch with our support team who will be happy to help with general questions.

Your WinCC OA Team


 File name certificateFile name private key 3.153.16
TLS & MXProxyhost-cert.pemhost-key.pem07.08.2023 WCCILproxy07.08.2023 WCCILproxy07.08.2023 WCCILproxy07.08.2023 WCCILproxy07.08.2023 WCCILproxy
httpcertificate.pemprivkey.pem31.12.202331.12.202331.12.2023 31.12.2023 31.12.2023
ETM root CAroot-cert.pemroot-privkey.pem07.08.202307.08.202307.08.2023 07.08.2023 07.08.2023
iec104 iec.crtiec.keyn.a.n.a.n.a. n.a. 30.08.2034
iec104 iecRoot.crt iecRoort.keyn.a. n.a. n.a. n.a. 29.08.2034
 OPC UA Client WinCC_OA_UA_client.der  04.08.2023 04.08.2023 04.08.2023 04.08.2023 06.03.2028
 OPC UA Server WinCC_OA_UA_server.der  04.08.202304.08.2023  04.08.2023 04.08.2023 06.03.2028

Table 1: Overview of components and their respective certification expiration dates of standard ETM certificates


 go back
Rating: 5.0. 2 vote(s). No rating done at all.
Your vote was '' (0 of 5) You are an anonymous user.
You may log on to do personalized votings
Click the rating bar to rate this item Please log on to do ratings
  • Notification

    FE user cannot be identified! (1403201096)

Share to: