Let’s Encrypt Certificate with WinCC OA on Windows

This is a manual way to get and use Certificates from Letsencrypt with the Webserver (ULC UX) in WinCC Open Architecture. You have to update the certificate manually before it expires.

  • Temporarily configure IIS (HTTP) to get a new certificate via WIN-ACME
  • Download Win-ACME, it is a Letsencrypt Client for Windows + IIS
  • Set “PrivateKeyExportable” to TRUE! in settings.json of Win-ACME!
  • Execute Win-ACME wacs.exe and follow the instructions for fist setup.
  • Execute wacs.exe --renew --baseuri https://acme-v02.api.letsencrypt.org/ to renew a certificate.

  • Export Root Certificate as PEM:
  • Save Root Cert as root-cert.pem to the WinCC OA project config directory.

  • Export the Host Certificate with “certlm”
  • Convert Certificate from PFX to Certificate and Private-Key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out keyfile-encrypted.key
openssl rsa -in keyfile-encrypted.key -out privkey.pem
=> Save to config/privkey.pem

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out certificate.pem
=> Save to config/certificate.pem