Configure Client Certificates for an OPC UA Server
- Last UpdatedFeb 05, 2024
- 4 minute read
You can use certificates to enable encrypted communications between a Plant SCADA OPC UA Server and an OPC UA client. To achieve this, both computers require access the following certificates:
-
The "<Computer Name> ASB OPC UA Server" certificate from the OPC UA Server
-
The client certificate from the OPC UA client.
Note: The information provided in this topic is intended for a scenario where SMS certificates are used on computers contained within your SCADA system network. If you want to deliver information across multiple domains or externally via the internet, we recommend you seek professional advice on setting up an external web server.
To complete this setup, you will need to perform the following procedures.
Copy the OPC UA Server certificate to the OPC UA client
You initially need to export a copy of two certificates created by the SMS.
-
Open Windows™ Certificate Manager.
To do this, you can type "manage computer certificates" into the Windows Search bar.
-
In the tree view, go to the Personal branch then select Certificates.
-
Locate the certificate named "<computer name> ASB OPC UA Server".
-
Right-click on the certificate and select All Tasks, then Export. This will open the Certificate Export Wizard.
Depending on the type of certificates that your client application uses, you will need to export the certificate as a CER file (if the client uses the Windows™ Certificate Store) or a DER file (if the client uses file-based certificates). These two formats are the same, only the file extension is different.
-
Use the following settings to export the certificate.
-
On the Export Private Key page, select No, do not export the private key.
-
On the Export File Format page, select DER encoded binary X 509 (.CER) or Base-64 encoded X.509 (.CER) (depending on the requirements of your client application).
-
On the File To Export page, enter a path and file name (for example, "c:\temp\<machine name> OPC UA Server.cer").
-
-
When you reach the Finish page, review the settings and click Finish to export a copy of the certificate.
Once the certificate has been exported, you may need to rename the file extension on the certificate from ".cer" to ".der" (if the client uses file-based certificates).
Import the OPC UA Server Certificate on the Client Computer
OPC UA client applications will generally use one of the following mechanisms to manage certificates:
-
Using the Windows™ Certificate Store
-
Storing certificates in a specified folder (that is predefined by the OPC UA client application).
Import a certificate into the Windows Certificate Store
Importing a certificate into the Windows Certificate Store requires administrator rights.
-
Copy the "<machine name> OPC UA Server.cer" file to an appropriate location on the client computer.
-
Right click on the CER file and select Install Certificate. This will open the Certificate Import Wizard.
-
Use the following settings.
-
Under Store Location, select Local Machine.
-
On the Certificate Store page, select Personal.
-
-
When you reach the last page, review the settings and click Finish.
Import a certificate into a specified location
Copy the "<machine name> OPC UA Server.der" file to the folder that is used by your OPC UA client application.
The table below includes the location of the certificate folder for some common OPC UA clients.
|
OPC UA Client |
Manufacturer |
Certificate Folder |
|---|---|---|
|
Datafeed OPC UA Client |
Softing |
C:\ProgramData\Softing\OpcClient\pki\trusted\certs |
|
UaExpert |
Unified Automation |
C:\Users\Admin\AppData\Roaming\unifiedautomation |
|
UA Client Getting Started |
Unified Automation |
C:\ProgramData\unifiedautomation |
|
Matrikon |
Matrikon |
C:\Users\Admin\Appdata\Local\Matrikon |
|
KEPServer |
Kepware |
C:\ProgramData\Kepware\KEPServerEX\V6\UA |
|
Top Server |
Software Toolbox |
C:\ProgramData\Software Toolbox\TOP Server\V6\UA\Client Driver\cert |
For more information, please refer to the documentation provided with your OPC UA client application.
Configure the OPC UA client certificate on the OPC UA Server
The next step in this process is trust the OPC UA client certificate on the computer the OPC UA Server is running on.
The easiest way to do this is to attempt to connect an OPC UA client to the server. As the server will not trust the client certificate yet, the connection is expected to be unsuccessful. However, after this happens, any OPC UA client certificates that are not installed on the OPC UA Server computer will be put into the "Rejected Certificate" folder on the OPC UA Server. By default, this is in the following folder:
C:\ProgramData\AVEVA\PCS\OPC UA Rejected Client Certificates\certs"
Accessing this folder requires administrator rights.
Import certificates from the Rejected Certificates folder
-
Browse to the rejected certificate folder.
-
Right click on the certificate for the OPC UA client that you want to trust and select Install Certificate. This will open the Certificate Import Wizard.
-
Use the following settings.
-
Under Store Location, select Local Machine.
-
On the Certificate Store page, select Trusted People.
-
-
When you reach the last page, review the settings and click Finish.
Configure the OPC UA Server ports
OPC UA communicates via a single TCP port. This is specified in the Endpoint Connection setting for the OPC UA Server.
This defaults to port 48031.
You will need to confirm that this port is not blocked by any firewall software installed on your computer.