Guidelines: Server/Instance Certificate Export/Import

About this task

  • CIMPLICITY OPC UA Client Instance Certificate
  • UA Server Instance Certificate

CIMPLICITY OPC UA Client Instance Certificate

In order for the OPC UA Server to trust the CIMPLICITY OPC UA client, the client Instance certificate must be in a Trusted folder on the OPC UA server. The certificate can be transferred from the OPC UA Client to the server by either of two methods.

Automatic Transfer

During an attempt to connect the client to the server, the client Instance certificate will be sent to the server directly.

The server’s administrator can decide to trust it or reject it.

Export to a *.cer/*.der File

If the OPC UA Server system administrator requests a certificate do the following.

Procedure

  1. Right-click the Instance certificate in the Windows Certificate Store>UA Applications>Certificates pane.

    The Certificate Export Wizard opens.

  2. Select the following as you go through the Wizard
    Screen Select
    Private Key No, do not export the private key.
    File Format DER encoded binary X.509 (.CER)
    File name Name assigned to the .cer file. Notes
    • The name does not have to match the Instance certificate name.
    However, the name should make it clear what certificate is being used.
    • Click the Browse button that is on the screen to open a Windows browser and select the location/enter the name to be applied.

    The new file will be available in the  specified location after you exit the Certificate Export Wizard.

  3. Find the *.cer file that was just created.
  4. (In many instances) rename the file extension from:

    *.cer

    to *.der.

    Note: Many OPC UA Servers only recognize the .der extension.

    Result: The file is ready to send to the UA Server Administrator.

    UA Server Instance Certificate

    Important:

    The default PKI root folder location is C:\ProgramData\CIMPLICITY.., which is a hidden folder.

    Set Windows Explorer to display hidden folders.

    The OPC UA Client will trust the OPC UA Server after the CIMPLICITY OPC UA Client is configured to trust  the Server Instance certificate directly, by storing it in the location designated for trusted certificates.

    Note: If the server certificate is not self-signed, it is enough to save the issuer’s certificate in the trusted location, but also possible to store the Server certificate directly.

    The certificate may come from a server that is trusted already, if:

    • The certificate itself or one of its issuer’s certificate is in the trusted certificates folder.
    • Other issuers’ certificates from the chain that are in the issuers certificates folder.

    Note: This is not applicable for self-signed certificates.

    When a user:

  5. Selects a secured communication mode in Device dialog box>OPC UA DA Configuration>Connection tab>Communication Security section.
  6. Clicks the Test Connection button in the OPC UA Client Device dialog box.

    The connection attempt will fail because the:

    1. CIMPLICITY OPC UA Client, initially, is not configured to trust the UA Server’s certificate.
    2. Client side rejects the UA Server’s certificate.

    The OPC UA Server’s certificate file (*[Thumbprint].der, where [Thumbprint] is the certificate thumbprint ) will be stored in the following folder.

    C:\ProgramData\Proficy\Proficy CIMPLICITY/certificates/rejected

  7. Moves (cut/paste) the certificate to the following folder.
    C:\ProgramData\Proficy\Proficy CIMPLICITY/certificates/trusted/certs

Results

The CIMPLICITY OPC UA Client will now trust the associated OPC UA server.

Note: A UA Server certificate can be issued by a certificate authority, which in turn can be issued by another higher level certificate authority.

As a result it can contain a chain of certificates.

If this is the case, the system administrator will need to determine which certificate should be placed in the trusted>certs folder and which others should be placed n the issuers>certs folder.