x.509 Certificate

To ensure authenticity of reports generated by HMI devices, JMobile HMI Runtime can generate reports with signed files to verify the authenticity and the integrity of the generated reports.

JMobile HMI Runtime uses asymmetric cryptography keys to sign files and x.509 standard to manage public key certificates. The picture shows the architecture.

The public key can be signed by a Certificate Authority (CA) that guarantees its authenticity.

Workflow
  1. Each HMI device contains two keys:
    • Key1 is the secret key, that is used to sign the reports generated by the HMI device. This key is securely stored inside the HMI device.
    • Key2 is the public key that anyone can use to verify the authenticity of the reports signed by the HMI device.
  2. The macros "SaveEventArchive" or "PrintGraficReport" can be used to generate signed reports (see "SaveEventArchive" or "PrintGraphicReport" for additional details)
  3. For the .csv file, you can use the public key and the signed file to verify the report is authentic and not tampered. (See "Signed CSV files")
  4. For the .pdf file, you can use a PDF reader to verify the report is authentic and not tampered. (See "Signed PDF files")
The internal x.509 certificate files

Each HMI devices already have a self-signed certificate. You are free to use it, ask a Certificate Authority to sign it, create a new one using the information that you prefer or to upload and use your own certificate. All operations are available from the device "System Settings" (see the x.509 Certificate section inside the "System Settings").

Note that you can never retrieve the private key from the HMI device. You can instead provide a certificate with both private and public keys.

Use the self-signed certificate

To use the self-signed certificate you have to do nothing. Simply, use the macros that generate signed reports. Even if the certificate will be provided from the macros, you can use the "System settings" to retrieve your copy of the certificate (just to be sure of the originality of the certificate).

Use a certificate signed from a Certificate Authority

To use your signed HMI certificate from a certificate authority you must download the certificate signing request file from the "System settings" panel. Sending and asking a certificate authority to sign the certificate (generally this is a pay operation) and then upload the signed certificate to the HMI device.

After retrieving the "certificate signed request" file to send to the certificate authority, be sure to never regenerate a new certificate otherwise the internal private key associated with the certificate send to the authority will be lost.

Use your own certificate

If you have your own Certificate and you like to use it, you can upload it inside the HMI device from the "System Settings" panel. Note that you must provide both private and public keys.

When the certificate contains a private key, the current private key will be substituted with the key found in the certificate and it will not be possible to recover it.

Example of a certificate with both public and private keys (certificates are encoded base64).

You can import inside each HMI device the same certificate file to have a unique public certificate file for all your HMI devices.

JMobile PC Runtime

When using JMobile PC Runtime the certificate files can be found inside the folder:
%AppData%\Exor\<Version>\server\config\ssl-certificate