What Certificates do I Require?

If you choose to use TLS to provide a secure connection, you will need a set of certificates and private keys for Geo SCADA Expert and for the device or application at the other end of the connection. (When Geo SCADA Expert is a TLS client, this is the device or application to which Geo SCADA Expert is to connect. When Geo SCADA Expert is the TLS server, this applies to each device or application that is to connect to the relevant driver in Geo SCADA Expert.) If you do not authenticate (not recommended), you only need a certificate and private key for the TLS server (which might be Geo SCADA Expert or the other device or application, depending on your system setup).

If you use your organization's private certificate authority (CA) to issue certificates for mutual authentication (which is recommended and is required for IEC 62351-3 compliance), you will have at least three certificates (for the root, the client, and the server). However, you are more likely to have four or more certificates (the root certificate, one or more intermediate certificates, the client certificate, and the server certificate).

When you have multiple certificates (such as a chain of certificates that includes one or more intermediate certificates), you will need to merge all of those certificates into one file before importing that certificate file into Geo SCADA Expert.

If you are using a certificate authority to issue certificates, you store the certificate authority's root certificate in the database; this informs the items that reference that certificate database item to trust all of the certificates that are issued by that certificate authority. If you are using mutual authentication, the device or application to which Geo SCADA Expert is to connect will also need a copy of the root certificate in its trusted certificates.

If you are using self-signed certificates for mutual authentication, two certificates are required (a self-signed certificate for each client and server). With mutual authentication, authentication is applied separately in each direction (the server authenticates the client, and the client authenticates the server).

If you are using self-signed certificates, you need to store a copy of the device or application's self-signed certificate in the database. When Geo SCADA Expert is the TLS server, you need to store a copy of the self-signed certificate for each client (such as an outstation) that is to connect to that server. You can merge all of the certificates for the clients into a single file, provide separate certificate files for each client, or provide a combination of merged and individual certificate files. You store each certificate file in an SSL Certificate database item. Using self-signed certificates in this way can get difficult to manage and scale; as such you might prefer to use certificates from a certificate authority.

In Geo SCADA Expert, it is possible to use the same certificate in multiple places. For example, you might create one TLS server certificate and use it for every network channel in your database. Likewise, you might create one TLS client certificate and use it for every network outstation in your database.