UA Applications in the Windows Certificate Store (MMC)

About this task

The Windows Certificates Store:

  • Stores certificates by default in the Windows Certificate store UA Applications for the local machine.
  • Uses the Certificates snap-in provided by Microsoft ??Windows, if you need to export or import certificates.

Procedure

  1. Open the Microsoft Console by typing mmc.exe at a Cmd window and pressing Enter.
  2. Click File>Add/Remove Snap-in on the Console menu bar to run the Certificates Snap-in.
  3. From the Add or Remove Snap-ins dialog box, select Certificates (1), click Add (2), and then click OK (3).
  4. From the Certificates snap-in dialog box, check Computer account and click Next.
  5. From the Select Computer dialog box, check the Local Computer (1), and click Finish (2).
  6. Click OK.

    Result: The CIMPLICITY UA application certificates will be available for export/import.

    Run as Administrator

    Access to the Windows Certificate Store

    A user who creates the certificates must have proper access rights to the Windows Certificate store in order for the store to accept the certificates from the Workbench.

    Access rights can vary from one machine to another, depending on the:

    • Windows Operating System.
    • Local and/or domain security policies.

    In certain cases access can occur when the:

    • Workbench process is granted write access to the Windows Certificates store because the user is a member of the local machine???s Administrators group.
    • User starts the Workbench as Administrator.

    Ultimately, it is the machine???s administrator???s job to configure access rights. CIMPLICITY OPC UA Client does not do any access rights configuration.

    Tip: To run the Workbench as administrator, right-click the Workbench in the Windows Start menu>HMI SCADA - CIMPLICITY v10.0section. Select Run as administrator on the Popup menu, and open the OPC UA Client project through the Workbench. If you use this method frequently, create a Workbench shortcut on your desktop.

    Existing Certificates

    Once certificates are created, no write access is required.

    Therefore in order to read existing certificates, in most cases, there is no need to run the Workbench as Administrator.

    Exceptions include the following.

    • The certificates created in CIMPLICITY always includes public key and private key; the private key has the access rights settings that depend on the operating system. As a result, on some machines or in some operating systems, the Workbench user, even an Administrator, cannot access the private key. A user will still need to run the Workbench as Administrator in order to read, configure and test the projects.
    • If the system administrator decides to run a DevCom process under a user account that is different from the default system account, then the user should be granted access rights to the Windows Certificates store.

    If the user is not granted access rights the Workbench will have to be Run as Administrator.

    By default, the CIMPLICITY OPC UA Device Communication process (CimOpcUaClient.exe) runs under a Windows system account, which has access rights to the Windows Certificates Store,

    As a result, after a project starts it can successfully, you can read certificates, communicate with the UA Server, and retrieve ??point values.

    Non-Secured Mode

    Access to the certificates store is required only when write/read certificates are needed.

    If a:

    • Device is configured to connect in non-secured mode, an Instance certificate is not needed.
    • UA Session user identity is Anonymous, then there is no need to encrypt or decrypt user name/password.

    Default settings are non-secured communication, with an Anonymous user

    By default: No certificates or access is required. There is no need to Run as Administrator.