Certificate Management

Certificate management is an integral part of securing communication between Web HMI and web browsers.

Certificates

Communication between Web HMI and a web browser over the HTTPS protocol uses the certificate of the Reverse Proxy component to encrypt messages. This certificate is signed by another certificate (which has a common name field set to ca) and is used as the Certificate Authority (CA) certificate. This CA certificate is generated at installation time, is self-signed, and is not trusted by web browsers. As a result, when a user tries to connect to Web HMI, the web browser prohibits access and displays the warning message: Your connection is not private. A user can then select Advanced to load the web page, but it is safer to import the CA certificate in to the user machine so the web browser can mark the connection as trusted.

Since you cannot force users to always use trusted HTTPS connections from the server side, Web HMI takes precautions to prevent content access to users with untrusted certificates.

The server side detects when the URL address does not match the host name or the IP address in the certificate. For example, the certificate only contains the host name by default but users may attempt to access Web HMI using an IP address in the URL, such as https://10.0.0.10. When Web HMI detects such a scenario, it blocks access to the content completely and returns this message:

Access Denied Please ensure you are using valid URL

You can disable this access restriction by setting the denyIfAddressIsNotInCert option to false in the Reverse Proxy configuration file. Alternatively, you can configure it to allow use of specific IP addresses by adding the desired IP addresses to the proxy IPs parameter of the Reverse Proxy configuration file, serverConfig.json. If defining multiple IP addresses in this file, separate each by a semicolon, such as 1.2.3.4;5.6.7.8.

Custom Certificates

Since the CA certificate that signs the HTTPS certificate used by Web HMI is self-signed by default, you must import it in to each user machine for it to be trusted and recognized as safe by web browsers. This also applies to the server using a web browser to access Web HMI. If you purchased a valid CA certificate, you do not need to install this certificate on all clients. If you have your own infrastructure for generating certificates, edit the serverConfig.json file to use your custom certificate, as explained in Apply Custom Certificates.