Connect to an OPC UA server using CA-signed certificates

This task describes how to configure the OPC UA server and client to communicate securely using CA-signed certificates.

This task is a supplement to the previous task, Configure an OPC UA Client worksheet. It assumes that you have already created a new OPC UA connection and are now configuring the security settings for that connection.

This task also assumes that you have acquired a CA-signed certificate that you are authorized to use with your project. The certificate should be a Distinguished Encoding Rules file (*.der). You should also have the password for the certificate.

A CA-signed certificate is a certificate signed by a trusted Certificate Authority (CA). CA-signed certificates are safe to use in most situations, even when you do not directly control both the server and the client, because you agree to trust the CA.

You can buy certificates from Certificate Authority companies such as VeriSign, DigiCert, and GeoTrust, although InduSoft does not endorse any particular company.

You can also create your own Certificate Authority on some servers, but you should do so only if you understand the security issues involved. Specifically, you should understand the difference between self-signed certificates and certificates signed by a self-created CA. That is beyond the scope of this documentation.

Once you have a CA-signed certificate, you can use it to sign other certificates that you create for your server and client applications. Each subsequent certificate is considered to be signed by the same trusted CA.

Please note that in this task, “OPC UA server” is a generic reference to any of the available hardware or software products that can run as an OPC UA server. For more information about how to complete certain steps, you should consult the manufacturer’s documentation for your specific server. We have included examples based on the free OPC UA Sample Server and UA Configuration Tool offered by the OPC Foundation, but these examples should be used only as a guideline.

To connect to an OPC UA server using CA-signed certificates:

  1. On your OPC UA server, import the CA-signed certificate into the server’s certificate store. The CA-signed certificate will be used to sign the server and client certificates that you create in the following steps. Example: Run the UA Configuration Tool. Click Manage Certificates, and then click Import Certificate to Store. A standard Open File dialog is displayed. Use the dialog to locate and select the CA-signed certificate, and then click Open. You will be asked to confirm the import. Click Yes.
  2. On your OPC UA server, create a new, signed server certificate. If there is an old server certificate in the certificate store, you may be prompted to overwrite or delete it. It should be safe to do so as long as there are no other clients connected to the server. Example: In the UA Configuration Tool, click Manage Application. In the Application To Manage list, make sure Opc.Ua.SampleServer is selected, and then click Create Application Certificate. The Create Certificate dialog is displayed. Configure the certificate settings as desired. In the CA Key File box, click Browse to select the CA-signed certificate that you imported in the previous step. In the CA Password box, type the password for the CA-signed certificate. Click OK to create the new certificate, and then restart the OPC UA Sample Server to make sure it uses the certificate.
  3. Add the CA-signed certificate your project’s issuer list — copy (but not move) the certificate file to your project folder at: […]DocumentsInduSoft Web Studio v7.1 ProjectsprojectnameConfigIssuerListCerts The issuer list determines which other certificates your project will trust. When you tell your project to trust the signed server certificate, that certificate will be checked against the CA-signed certificate in the issuer list to make sure the signatures match.
  4. In InduSoft Web Studio, in the UA Server Configuration dialog, click Security. The Security Settings dialog is displayed.
    Figure 1. Security Settings dialog
    Web Studio Help dialog opcua security Connect to an OPC UA server using CA signed certificates

  5. In the Message Security Mode and Security Policy lists, select the settings required by your OPC UA server. In a typical configuration, Message Security Mode is Sign and Encrypt and Security Policy is Basic128Rsa15.
  6. Click Trust server certificate. In most cases, you do not need to change the Trust List or Issuer Certificate List settings. These are the default locations in your project folder where certificates are stored. You might change the locations if, for example, you have a single folder where you store certificates from several different programs, but we do not recommend it. The development application attempts to connect to the OPC UA server, and if it is successful, it gets the server certificate. A warning message is displayed, asking you to confirm that you trust the server certificate.
  7. Click OK to confirm. The server certificate file is copied to your project folder at: […]DocumentsInduSoft Web Studio v7.1 ProjectsprojectnameConfigTrustListCertsconnectionname.der
  8. Click Create self-signed certificate. Although you are creating a self-signed certificate here, you will use the server to reissue it as a signed certificate. The Certificate Creation dialog is displayed.
  9. In the Certificate Creation dialog, complete the certificate information as needed, and then click Create. The development application creates a new client certificate file and saves it in your project folder at: […]DocumentsInduSoft Web Studio v7.1 ProjectsprojectnameConfigUAClientCertificate.der
  10. On your OPC UA server, import the self-signed client certificate (from the location given in the previous step) and then reissue it as a signed client certificate. Make sure the certificate is issued with a PEM-format key. Example: In the UA Configuration Tool, click Manage Certificates, and then click Import and Issue Certificate. A standard Open File dialog is displayed. Use the dialog to locate and select the client certificate, and then click Open. The Create Certificate dialog is displayed. Note the Application Name, because this will be the name of the certificate and key files that you create. In the CA Password box, type the password for the CA-signed certificate. In the Key Format list, select PEM. Click OK. The reissued client certificate and key files are created in the server’s certificate store.
  11. Copy the reissued client certificate and key files from the server’s certificate store back to your project folder. These files will replace the existing, self-signed certificate and key files that you created previously.
    1. Find the reissued certificate file. Example: For the OPC UA Sample Server, the file is located at: C:ProgramDataOPC FoundationCertificateStoresUA Certificate Authoritiescertsapplicationname [IDstring].der
    2. Copy (but not move) the certificate file to: […]DocumentsInduSoft Web Studio v7.1 ProjectsprojectnameConfigUAClientCertificate.der
    3. Find the reissued key file. Example: For the OPC UA Sample Server, the file is located at: C:ProgramDataOPC FoundationCertificateStoresUA Certificate Authoritiesprivateapplicationname [IDstring].pem
    4. Copy (but not move) the key file to: […]DocumentsInduSoft Web Studio v7.1 ProjectsprojectnameConfigUAClientCertificatePrivateKey.pem
Once the certificates have been exchanged — that is, once the server certificate is in the client’s (i.e., your project’s) trust list and the client certificate is in the server’s trust list — the OPC UA connection should be properly configured and ready for secure, two-way communication.
To test the connection, insert a new OPC UA Client worksheet, select the connection you have created, and then try to browse for items on the server.

Connect to an OPC UA server using CA-signed certificates