How to add HTTPS to your SCADA system

HTTPS is a more secure way for a browser (client) and a web server to communicate. This is done by using Secure Sockets Layer (SSL) which is the standard security technology for establishing an encrypted link between a web server and a browser. With this link, users can be sure that the data being sent between web browser and server stays private without the ability of interception by a third party. An SSL certificate is needed by the server to identify itself and send a public key for the browser to use to establish the encrypted link.

SSL Certificate

An SSL certificate file in the form of a pkcs#12 with the file extension “.pfx” is needed for this to work. Usually a certificate would be requested from a Certificate Authority (CA). These CA are trusted entities that will sign your certificate making it publically trusted. However, based on a some new ruling, they are not allowed to sign certificates for internal domain names or IP addresses.

How to create a self-signed SSL Certificate

A self-signed certificate would suffice for running internally or testing purposes. The following are the steps for creating a self-signed certificate to be used in your SCADA system:

First, you would require a tool called “openssl”. This can be installed following this link  (https://slproweb.com/download/Win32OpenSSL_Light-1_0_2k.exe). After installation, the path to the use the tool would have to be added to the system path. If you are not familiar with doing so, this (http://windowsitpro.com/systems-management/how-can-i-add-new-folder-my-system-path) article would help. The path to add is the “bin” folder of the installation which is usually “C:\OpenSSL-Win32\bin”.

Next, open “Command Prompt” by selecting (Start -> Run) and typing “cmd” or simple searching “cmd” on newer Windows systems. Change the directory of the  by typing:

cd <full directory>

This directory can be anywhere is the system for creating and storing the certificate files. Here, type the following command to create a self-signed certificate:

openssl req -x509 -days 365 -newkey rsa:2048 -keyout cert.pem -out cert.pem

You will be asked to input a passphrase to encrypt the certificate. Do remember this passphrase to be used when installing the certificate at a later time. Then just fill in the other details requested. Note that the common name is usually the domain name or IP address the SCADA is accessed from.

Next, the following command can be used to convert the “.pem” certificate to a PKCS#12/PFX file:

openssl pkcs12 -export -in cert.pem -inkey cert.pem -out cert.pfx

The passphrase for the “.pem” file would have to be entered and then followed by setting a passphrase for exporting the file. Once this is done, the “.pfx” file would be created in the directory.
From this point, the “.pfx” file would have to be imported into the system certificate store so it can be used. This is already described in the user guide linked here.