Project Signature

The HMI device can be configured to accept only signed projects. The signature makes sure that only authorized users can update the JMobile HMI Runtime application.

To configure the HMI device to accept only signed projects, an x.509 certificate is required to sign the projects.

The x.509 certificate consists of two parts:

certificate.pfx
A file with the primary key necessary to sign the project that must be installed on the PC and used from JMobile Studio to sign the project to download on the HMI device (the primary key is a reserved file because whoever owns it has the possibility to modify the project on the panel)
certificate.crt
A file with the public key that must be loaded on the HMI device to give the device the possibility to check if the project is correctly signed (this file will be saved in a protected area of the HMI device because if replaced, the protection would be lost)

We use Secure Hash Algorithm (SHA256)

How to install the certificate on the PC

To install the certificate on the PC, double-click on the certificate.pfx file to activate the Windows installation wizard. You will be prompted for the password associated with the certificate and where to install it (for example it could be installed on the "Personal" folder)

To remove the certificate from the PC, open the Windows Credential Manager and remove the "HMIServer/prjsign" item.

How to install the certificate on the HMI device

On the HMI device the certificate.crt can be installed from the System Settings of the HMI device in the Security area (Ref. "Security").

In the Security area, select:

Domain = HMI Runtime
Secret ID = Project Signature
Type = Certificate
Use the "Update" button to load the certificate

How to install the certificate on the JMobile PC Runtime

You can select the certificate to use from the context menu (Ref.: "Context menu options")

Note that the certificate to use must be installed on your PC (you can double-click the certificate file to install it)

How to configure JMobile Studio to sign the project before downloading it

After installing the two files relating to the certificate, it is possible to sign the application that will be downloaded to the panel by setting the "Sign Project" property, available in the "Project Properties", to true (see "Project"). When you will download a project on the HMI device, you will be prompted for the certificate to use which must correspond to the certificate installed on the HMI device.

Script to generate a Certificate

Here is an example of how to generate a certificate using a public OpenSSL-Win32 library (Reference: https://www.openssl.org/)

File: CreateCertificates.cmd

@echo off set OpenSSL="C:\Program Files (x86)\OpenSSL-Win32\bin\openssl.exe" set CertificateName=MyCertificate rem Generate an RSA key %OpenSSL% genrsa -out certificate.key 4096 rem Creating Certificate Signing Requests %OpenSSL% req -new -sha256 -key certificate.key -out certificate.csr -subj "/ST=NY/C=US/L=New York/O=CompanyName/OU=R&D Team/CN=%CertificateName%" rem Self Sign the Certificate Signing Requests %OpenSSL% x509 -req -days 365 -in certificate.csr -signkey certificate.key -out certificate.crt rem Convert to .pfx file %OpenSSL% pkcs12 -export -out certificate.pfx -inkey certificate.key -in certificate.crt -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider" pause

The procedure will require the creation of a password which will then be required to access the primary key of the certificate.