Certificate Handling; Self-Signed Certificate - ABB RTU500 series User Manual

Secure Web server access

Certificate handling

7.3 Certificate handling
7.3.1
7-4 | 1KGT 150 924 V000 1 - ABB AG
Figure 88: HTTPS access to an RTU Web server
The default Web server certificates used by the RTU500 series are self-signed and not issued by
a certification authority (CA). As result an actual web client shows a warning messages concerning
the missing CA, if the Web server is accessed with HTTPS. To avoid this warning message a trusted
external certificate must be configured and uploaded to the RTU500 series.
If the Web server is configured for HTTPS a standard access is not possible anymore. In case of
a standard access the Web server redirects the access to the secure pages of the RTU500 series
Web server.
If the Web server is not configured for HTTPS, a secure access is possible as well. There are no
restrictions in this case besides the possible warning message from the self-signed certificate.
See chapter "RTUtil500 configuration" for configuration and chapter "External certificate" for upload
of external certificates.
For encryption and secure identification HTTPS uses public key certificates that bind together a
public key with an identity (information such as the name of an organization, their address and so
on). The certificate is used to verify that a public key belongs to an identity. In case of HTTPS the
Web server presents the certificate to the web client giving the client the public key and the identity
of the server.
This requires for the RTU a public/private key pair and a corresponding public key certificate. There
are two possibilities for this purpose. First the self-signed certificates generated by the RTU500
series firmware can be used or a trusted, extern generated certificate can be uploaded to the RTU.
When uploading, a certificate must be available for each CMU because the Web server can be
accessed on any CMU. Further information about the self-signed and extern generated certificates
can be found in the following two chapters.

Self-signed certificate

In the default setup the RTU500 series Web server uses self-generated and self-signed public key
certificates for encryption and secure identification. As explained above the certificate consists of a
public/private key pair and an identity information. The key pair and the certificate are generated by
the RTU firmware and stored in the internal flash of the CMU (not on the memory card).
RTU500 series Remote Terminal Unit