Issue
When logging in to SmartStruxure WorkStation you get a security certificate risk warning
Security Certificate Risk
There were errors validating the security certificate in use. This may pose a security risk to the system.
The certificate presented by this server was issued for a different server's address.
How do you wish to proceed? Trust certificate or Cancel
You can also get a warning when logging in through WebStation if you use the https address
Warning in Google Chrome - FireFox - Internet Explorer
Product Line
EcoStruxure Building Operation
Environment
- SmartStruxure version 1.6 and newer
- WorkStation
- WebStation
Cause
Starting in version 1.6, a new security feature has been introduced validating the ES and AS server identity based on security certificates. In order to avoid seeing this warning each time you log in, you need to apply a certificate to each server (ES, AS, ASP or ASB) - either a self-signed or an existing.
Resolution
This article will describe how to import or generate a certificate, and how to install the certificate through WorkStation or a browser.
If you generate the certificate for an Automation Server, make sure that the time and time zone is correctly set in the Automation Server before generating the certificate.
Regarding external CA certificates
In step 8 below, it's shown how to generate a self-signed certificate. It might be that it's required to use an external CA certificate issued by a trusted issuer e.g. Verisign. All X509 certificates are supported. The format of the certificate must be PEM (as opposed to DER, PKCS7 or PKCS12). More about certificate types here. SBO currently only supports certificates using the PEM format which is the most common. If the external CA certificate is delivered in a container format (such as .pfx) it must be extracted before it can be used in SmartStruxure. More about extracting certificates here.
Importing or generating a certificate
- Log in to Workstation clicking "Trust certificate"
- Navigate to the control panel
- Click on "Security Settings"
- Click on "Certificates"
- If you see a message saying that a secure communication protocol is not in use, it means that one or more AS's are communicating with the ES using the TCP port (4444) rather than https. In order to manage certificates for all servers in one operation, you need to change the communication ports. Click on "Configure communication settings" to do that.
- and change the protocol to HTTPS and the port to 443 - Back in the certificates settings, select one or more servers (in this example just the ES) and click "Manage Certificate"
- Select a certificate type to add. Unless a certificate is bought from a third party provider, select "Generate certificate" which will make a self-signed certificate.
- Enter a name, tick "Use IP/DNS..." and select a date when the certificate will expire as a minimum, and fill out more info if needed. Click "OK".
NOTE: Do not exceed year 2060 in the "Valid to" field, doing so will result in a certificate expired error when trying to apply the certificate. - Select the certificate just created and save
Installing a certificate through Workstation
- Close Workstation (just logging out is not enough)
- Open Workstation and log in using the IP address or DNS name - never "localhost" as that name will not match the certificate.
- Now you will be able to tick "Always trust this certificate" as the name (IP address or DNS name) in the certificate matches the server you are logging on to. Tick the box, and click "Trust Certificate".
- Click "Yes" to confirm the installation of the certificate
- Now you will not get the security warning when logging on
Installing a certificate through a browser
- Access the server using Internet Explorer (important) entering the https address (e.g. https://localhost)
- Click on "Continue to this website"
- Click on the "Certificate error" field next to the address bar
- Click on "Install certificate"
- Select "Trusted Root Certification Authorities"
- Click next and ok
- Close the browser
- Now you can use both Internet Explorer, Google Chrome and FireFox to access the server from Webstation using https and not get the warning
If the certificate fails to install and be trusted properly, it might be because you need to manually select which physical storage to add it to.
Refer to the following discussion