SSL Certification validity

The SSL (Secure Socket Layer) protocol is a security layer inserted between the transport layer (TCP/IP) and the application layer (e.g., HTTP), which provides communication security by encryption and enables an authentication (identity verification) of communicating parties. The result is a secure (encrypted) connection, e.g., using the HTTPS protocol.

Warning: use certificate validation only if you are aware of the possible consequences of enabling this function. Due to the temporary validity of certificates, it may happen that the validity of the certificate expires after a certain period of time (validity is different for each certificate).

As a result, PLC will not be enabled for secure communication via Internet, so it will stop communicating with Mervis Proxy, Mervis DB, or other servers. Subsequent uploading of valid certificates to the PLC is now only possible locally and a service trip to the PLC is therefore required.

Certificate validation, or certificate verification, means that Mervis RT communicates with cloud servers (Proxy, DB, SCADA) using a secure encrypted SSL connection and verifies security against available certificates, which are issued by certification authorities.

In order to use this function, it is necessary to ensure:

  1. Availability of current certificates
    • certificates are up-to-date at the moment of release of the Mervis OS operating system, starting with Mervis OS version
    • certificates can be updated by uploading Mervis IDE (instructions below)
  2. Setting SSL addresses to cloud services, or enabling SSL
    • Mervis DB:
    • Mervis Proxy:
  3. Enable certificate validation in RT configuration

If the above is not met, communication will not be established.

Example of Mervis Proxy and DB settings in RT configuration:

Mervis Proxy parameters

Mervis DB parameters

To upload certificates to the PLC, it is necessary to have a Mervis IDE solution installed and an assigned PLC.

To add/replace certificates, right-click on the PLC, select:
PLC Operation → Upload Certificates

A dialog will open where you have a total of 4 lines, but we will only be interested in the first two:

  • Default CA: these certificates are up-to-date at the time of Mervis OS image generation, uploading them will replace the default certificates
  • User CA: these certificates are not included in the default state of RT, missing certificates can be added by uploading, default CAs are not affected in any way

After clicking OK, the certificates will be uploaded to the PLC.

Note: the file name extension can be arbitrary.

Updating certificates due to expiration

Certificates issued after September 1st, 2022 are valid for a maximum of 1 year, so it is important to update the certificates regularly. The update is possible by replacing the default CA with the new public certificates (certificate file) according to the instructions above, or by uploading the most current version of Mervis OS to the PLC.

Note: download current certificates only from trusted sites.

Replacing the default certificates with your own

In some cases (e.g., within an intranet) it is also useful to secure with your own certificates, when, on the other hand, you do not use public certificates at all. In this case, prepare a certificate file and upload it as the default CA, replacing the default certificates with your own.

Adding your own certificates without affecting the default certificates

In cases where the PLC is, for example, in a large corporate network, but also has access to the Internet, it is advisable to choose a combination of public and own certificates.

Therefore, upload your certificate file as a user CA, but it is also possible to upload an update of the default CA. If you do not want to update the default certificates, leave the box blank.