SSL security certificate for Merbon SCADA servers

The IIS server where a Merbon SCADA server is installed should contain a SSL security certificate. Otherwise most of the browsers will consider the site insecure and show warning messages, or refuse to display the web pages completely.

HTTPS/SSL protocol can secure the data travelling between client and server and back. This means that the data flow between the browser and the server can not be monitored by a third party. Standard TCP port for HTTPS/SSL communication is 443, while HTTP standard port is 80.

The addresses of web pages secured with SSL start with the https:// protocol name. The browsers display a padlock icon in the address row, and tinge the address with different colours: green for full compliance, yellow or orange for a secured page with problems (such as containing a valid certificate issued for another domain), and red for a wrong certificate. If the certificate has been created using OpenSSL or IIS (self-signed certificate) the browser may show a message that the web is not trustworthy when accessed over the Internet. This problem can be solved by a certificate issued by an external authority.

Issuing a certificate by an external authority is a paid service (about 10 to 50 € per year). The price depends on the trustworthiness of the issuing authority, validity length of the certificate, degree of security, etc. The certificates must be prolonged as their validity is limited by time. The expiration date is stored directly in the certificate, and can be viewed e.g. in a web browser. As soon as the certificate expires, it is automatically considered invalid. Maximum validity length is usually 2 years. This means that even if the server is certified at the installation time, it loses its validity after maximum two years of operation, and SCADA „stops working“ just by itself. This is long before the warranty time ends (which may be up to 5 years at the turnkey projects).

If the Merbon SCADA server is operated exclusively in an intranet, i.e. without access from the Internet, using SSL is not necessary and browsers tend to accept unencrypted connection too (http://, TCP port 80). Then the standard installation manual for Merbon SCADA server setup is to be followed.

If the Merbon SCADA server shall be accessible from the Internet, the IIS server should have a SSL certificate installed. The certificate is issued by a certification authority. It is bound to the domain name which is used to access the server, for example merbonscada.company.com. This name has to be agreed with the IT manager of the network the server is installed in. The IT must also configure the network so that the server is available from the Internet.

A certificate is a file with .pfx extension. There are also other certificate formats, however, the IIS server requires a .pfx file. The file is imported in the IIS server settings (Server certificates) and then selected in the MerbonScada_Web configuration (Bindings, Add…, Type: https to port 443, and select the certificate file which was imported in the previous step).

As a certificate is subject to expiration, it must be updated regularly. At system (turnkey) project supplied by Domat, Domat as a supplier guarantees a valid certificate for a period of 2 years or until end of the warranty time according to the contract. Then a new certificate must be either ordered extra as a post-warranty service, or got by the site owner or operator.

If the Merbon SCADA licence is supplied as a product, the system integrator or IT department of the IIS server owner are fully responsible for issuing of a certificate, its installation and configuration of the IIS server. All system integrators are asked to get to know the SSL problematics and the Merbon SCADA Server environment thoroughly before the commissioning starts. It is advised to organize the connection to the Internet, domain name and issuing of a certificate in advance. It saves time spent on commissioning. Please note that the IIS server configuration takes about 30 minutes plus time required for communication with the local IT and a certification authority.

In general, for the issuing of the certificate, its installation and updates, the IIS server operator is responsible rather than the SCADA system supplier.

How to install the certificate in the IIS

Open the IIS manager (v C:\Windows\System32\inetsrv the InetMgr.exe file)
Select the server and click Server certificates: Select Actions – Import:

Select the certificate file and enter the import password provided by the issuing authority. Click OK. The certificate is now imported in the server.

In the IIS settings select the Merbon SCADA web and in the properties go to Edit web, Bindings… Add a https binding and select the imported certificate. Confirm by OK and restart the web. The web is now certified.