Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Adapter for OPC UA

TABLE OF CONTENTS

Self-signed certificate

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJun 26, 2025
  • 2 minute read

Adapter connections may use certificates for identification and encryption. If needed, the OPC UA adapter generates a self-signed certificate. The generated certificate expires 10 years from the date of generation.

When the adapter certificate approaches expiration, warnings will be logged daily starting 30 days prior to expiration. After the certificate is expired, errors will be logged daily.

To generate a new self-signed certificate, move or delete the OpcUa Adapter\Certificates\own directory and restart the adapter.

Note: AVEVA strongly recommends using CA signed certificates for production systems. Self-signed certificates are not safe to use for production systems. If you use a self-signed certificate for the AVEVA adapter, every computer that uses it will need to manually trust the certificate. This can be a difficult and error prone process that makes the system less secure.

Configure OPC UA adapter security using the generated self-signed certificate

Complete the following steps to configure adapter security:

  1. In your data source configuration, set the useSecureConnection parameter to true. For more information, see Data source configuration.

    The adapter verifies whether the server certificate is present in the adapter trusted certificates  Security and hence trusts it. In case the certificates were not exchanged before the first attempted connection, the adapter persists the server certificate within the adapter rejected certificates  Security folder. The following warning message about the rejected server certificate will be printed:

    ~~2019-09-08 11:45:48.093 +01:00~~ [Warning] Rejected Certificate: "DC=My ServerMyServer.MyDomain.int, O=OSIsoft, CN=Simulation

  2. Manually move the server certificate from the adapter rejected certificates Security location to the adapter trusted certificates  Security location using a file explorer or command-line interpreter.

    Linux example using command-line:

    sudo mv /usr/share/OSIsoft/Adapters/OpcUa/Certificates/rejected/certs/'Si mulationServer'SimulationServer [F9823DCF607063DBCECCF6F8F39FD2584F46AEBB].der' /usr/shar eshare/OSIsoft/Adapters/OpcUa/Certificates/trusted/certs/

    Note:  Administrator or root privileges are required to perform this operation.

  3. After the certificate is in the adapter trusted certificates folder, the adapter trusts the server and the connection attempt proceeds in making the connection call to the configured server.

  4. Add the certificate of the adapter Security to the server's trust store.

The connection succeeds only when the adapter certificate is trusted on the server side. For more details on how to make a client certificate trusted, see your OPC UA server documentation. In general, servers work in a similar fashion to the clients, hence you can take a similar approach for making the client certificate trusted on the server side.

When certificates are mutually trusted, the connection attempt succeeds and the adapter is connected to the most secure endpoint provided by the server.

TitleResults for “How to create a CRG?”Also Available in