Connect to an OPC UA server using self-signed certificates

This task describes how to configure the OPC UA server and client to communicate securely using self-signed certificates.

This task is a supplement to the previous task, Configure an OPC UA Client worksheet. It assumes that you have already created a new OPC UA connection and are now configuring the security settings for that connection.

A self-signed certificate is a certificate signed by the person or organization that uses it. In most cases, it is safe to use only when you directly control both the server and the client. If you do not directly control both, you should consider using certificates signed by a trusted Certificate Authority (CA) instead.

Please note that in this task, “OPC UA server” is a generic reference to any of the available hardware or software products that can run as an OPC UA server. For more information about how to complete certain steps, you should consult the manufacturer’s documentation for your specific server. We have included examples based on the free OPC UA Sample Server and UA Configuration Tool offered by the OPC Foundation, but these examples should be used only as a guideline.

To connect to an OPC UA server using self-signed certificates:

  1. On your OPC UA server, create a new, self-signed certificate for the server application. If there is an old server certificate in the certificate store, you may be prompted to overwrite or delete it. It should be safe to do so as long as there are no other clients connected to the server. Example: Run the UA Configuration Tool. Click Manage Application. In the Application To Manage list, make sure Opc.Ua.SampleServer is selected, and then click Create Application Certificate. The Create Certificate dialog box is displayed. Configure the certificate settings as desired, but leave the CA Key File and CA Password boxes empty; that is what will make the certificate self-signed. Click OK to create the new certificate, and then restart the OPC UA Sample Server to make sure it uses the certificate.
  2. In InduSoft Web Studio, in the UA Server Configuration dialog box, click Security. The Security Settings dialog box is displayed.
    Figure 1. Security Settings dialog box
    Web Studio Help dialog opcua security Connect to an OPC UA server using self signed certificates

  3. In the Message Security Mode and Security Policy lists, select the settings required by your OPC UA server. In a typical configuration, Message Security Mode is Sign and Encrypt and Security Policy is Basic128Rsa15.
  4. Click Trust server certificate. In most cases, you do not need to change the Trust List or Issuer Certificate List settings. These are the default locations in your project folder where certificates are stored. You might change the locations if, for example, you have a single folder where you store certificates from several different programs, but we do not recommend it. The development application attempts to connect to the OPC UA server, and if it is successful, it gets the server certificate. A warning message is displayed, asking you to confirm that you trust the server certificate.
  5. Click OK to confirm. The server certificate file is copied to your project folder at: […]DocumentsInduSoft Web Studio v7.1 ProjectsprojectnameConfigTrustListCertsconnectionname.der
  6. Click Create self-signed certificate. The Certificate Creation dialog box is displayed.
  7. In the Certificate Creation dialog box, complete the certificate information as needed, and then click Create. The development application creates a new client certificate file and saves it in your project folder at: […]DocumentsInduSoft Web Studio v7.1 ProjectsprojectnameConfigUAClientCertificate.der
  8. On your OPC UA server, import the client certificate (from the location given in the previous step) into the server’s trust list. Example: In the UA Configuration Tool, click Manage Security, and then click Import Certificate to Trust. A standard Open File dialog box is displayed. Use the dialog box to locate and select the client certificate, and then click Open. You will be asked to confirm the import. Click Yes.
Once the certificates have been exchanged — that is, once the server certificate is in the client’s (i.e., your project’s) trust list and the client certificate is in the server’s trust list — the OPC UA connection should be properly configured and ready for secure, two-way communication.
To test the connection, insert a new OPC UA Client worksheet, select the connection you have created, and then try to browse for items on the server.

Connect to an OPC UA server using self-signed certificates