Automation of SSL certificate updates in PLCnext WBM - Open Source Solutions?
Hi PLCnext Community,
I have been reading the discussions about SSL certificate issues on PLCnext systems and am curious about developments in automating these certificate updates. In the world of web hosting, automatically renewing SSL certificates via open-source solutions is quite standard. Two promising solutions are Let's Encrypt and Sectigo Certificate Manager.
Let's Encrypt, a free, automated, and open certificate authority, offers TLS certificates for websites. It supports the Automated Certificate Management Environment (ACME) protocol, which automates the complete management of certificate processes. This eliminates the need for manual updates and ensures continuous secure connections.
Sectigo Certificate Manager offers a CA-agnostic certificate lifecycle management platform for the modern enterprise. It supports multiple integration alternatives, including SCEP, a RESTful API, agent-based integration, and the ACME protocol. This platform can integrate with a wide range of technologies and systems.
Are there any plans or ongoing developments at Phoenix Contact to integrate such a solution into the PLCnext WBM? It would be a valuable addition for many users, as it would significantly improve the system's security and ease of use.
Looking forward to your responses and suggestions.
Best regards,
Michel
Comments
Apologies for posting this in the "PLCnext Engineer" category. This topic would be more appropriate under "PLCnext Technology & PLCnext Controls".
Unfortunately, I don't have the ability to move the post myself. Could a moderator or administrator kindly relocate this thread to the correct category? Many thanks in advance for your assistance.
Let's Encrypt does not offer certificates for IP addresses. Some other Certification Authorities (CAs) do, but only for public and publicly validated IP addresses. Therefore, if you are using local IP addresses, or IP addresses that are not publicly accessible, or not using a domain name, it is impossible to generate an SSL certificate for the eHMI web pages viewed in desktop or mobile browsers.
Hi Michel. This is a quite interesting question.
At the moment the only similar feature that our developers are currently working on is an extension to the Device and Update Management (DaUM) service, which will implement an OPC UA Global Discovery Server - that will allow security certificates to be pushed to PLCnext Control devices from the DaUM service. However this will be based on the OPC UA standards, and it is not the same as the two solutions you mention.
Some background on OPC UA certificate management:
There is an old Makers Blog post that describes how to use UaExpert (an OPC UA Client) to push OPC UA Server certificates in a PLCnext Control device. In the first implementation our Global Discovery Server will manage OPC UA Server certificates, but it's planned that it will eventually be extended to manage other certificates on the device.
The idea of using standard IT solutions for certificate management is a good one, but unfortunately there are currently no plans to integrate something like this into the Web-Based Management. In the foreseeable future, I think the only way that solutions like the ones you mentioned will be implemented is if someone in the wider PLCnext Community develops a PLCnext Store app using one of those solutions.
Following up on this discussion around automating SSL certificate updates on PLCnext systems, I'd like to dive deeper into the realm of securing our PLCnext devices, especially focusing on local environments and domain names. Drawing from the broader web development and hosting practices, two standout solutions have emerged: mkCert for local IP addresses and combining a reverse proxy (Nginx/Apache) with certificate authorities like Let's Encrypt or Sectigo for domain names.
mkCert for Local IP Addresses
Given the challenge of SSL certificate warnings in browsers when accessing local IP addresses, mkCert presents an innovative solution. It's a tool that simplifies the process of generating valid SSL certificates for local development environments. While Let's Encrypt does not offer certificates for local IP addresses or non-publicly accessible IP addresses, mkCert fills this gap by acting as a local certificate authority. This way, developers can ensure secure HTTPS connections without the browser's security warnings, enhancing both security and user experience during development and testing phases.
Combining Reverse Proxy and CA Certificates for Domain Names
For scenarios involving domain names, especially when aiming to access PLCnext's eHMI web pages securely, using a reverse proxy like Nginx or Apache in conjunction with certificate authorities such as Let's Encrypt or Sectigo offers a robust solution. This approach not only secures communication but also simplifies certificate management and renewal processes. By setting DNS records on PLCnext via the Web-Based Management (WBM) or terminal, we can effectively implement this solution. It ensures that domain names directed towards our PLCnext devices are fully secured, leveraging the automated renewal capabilities of these CAs.
The Need for DNS Record Management in PLCnext WBM
For the full implementation of these solutions, especially when dealing with domain names, the ability to manage DNS records directly from PLCnext's WBM or through terminal commands is crucial. This functionality would significantly streamline the process, making it more accessible for users to implement comprehensive SSL/TLS security measures on their devices.
Closing Thoughts
While Phoenix Contact's exploration into integrating OPC UA Global Discovery Server for certificate management is a step in the right direction, expanding the scope to include more generalized IT solutions like mkCert and reverse proxy setups could greatly enhance the PLCnext ecosystem's security and usability. The potential for community-driven developments, possibly through PLCnext Store apps, offers an exciting avenue for innovation in this space.
I'm keen to hear thoughts, feedback, or any developments from both the PLCnext team and the community at large. Has anyone embarked on implementing these or similar solutions? Your insights and experiences would be invaluable.
I'm keen to hear thoughts, feedback, or any developments from both the PLCnext team and the community at large.
I put these proposals to the firmware developers and I got a response from them this morning.
Unfortunately there are currently no plans to implement any of these features. To get these features implemented by our firmware development team requires an internal process to be followed, and I have now initiated that process. This doesn't mean that these features will be implemented soon (or ever), but it means that the proposal will be given a suitable priority by the product managers, and it will then join the hundreds of other requests that are being considered for future firmware versions.
It may be possible for some of the proposed features to be implemented using one or more PLCnext Store apps. If a PLCnext Community member is currently working on something in this area, perhaps they will add a comment here.