Certificates

A certificate is a digitally signed data structure that describes capabilities of a Client or Server.

The OPC UA certificate handling allows

Defining which certificates are accepted on the server or for the client (see "Accept Certificates").
Creating new client/server certificates (see "Create Certificate").

Open the certificate handling with a click in OPC UA Certificate in the Driver tab of the system management.

Note

For the correct working of the view of certificate information and the creation of certificates, the command openssl must be in the path (system PATH environment variable).

Accept Certificates

On the server it is possible to decide whether a client certificate should be accepted or not.
For the client it is possible to decide whether a server certificate should be accepted or not.

From technical point of view a certificate, which should be accepted, is moved from the "rejected" directory to the "certs" directory. For the meaning of the specific directories see Management and Formats.

ETM certificates for client and server are delivered with WinCC OA:

- PVSS_UA_defaultclient.der, PVSS_UA_server.der, PVSS_UA_server.pem and PVSS_UA_defaultclient.pem;

- Version 3.11 and greater: WinCC_OA_UA_Client.der, WinCC_OA_UA_Server.der, WinCC_OA_UA_server.pem and WinCC_OA_UA_Client.pem.

These can be found in the WinCC OA installation directory under \data\opcua\client\PKI\CA\ in the corresponding directories (see Management and Formats).

Figure: "Accept Certificates" tab

In the list on the left all certificates are shown, which are not accepted. These can be found in the "rejected" directory.
In the list on the right all certificates are shown, which are accepted. These can be found in the "certs" directory.

For moving the certificates from one list (or directory) to the other, select the specific certificate and use the buttons (reject certificate) and (accept certificate) to move it.

Note

When a certificate is moved from the "Accepted" list to the "Not Accepted" list afterwards the OPC UA Client has to be restarted. Otherwise the client is still connected to the old server.

If a certificate is accepted, the certificate details are displayed in the bottom of the panel ("Certificate Details").

The client and the server check the certificates of their partners and store them in an separate "rejected" directory, if they are unknown. For example if the client does not know the server, this stores a certificate file in the client/PKI/CA/rejected directory.

As well as for the client as for the server the location of the certificate directory can be changed with the certificateStore config entry.

Note

Both client and server must have write rights to the "rejected" directory. The user interface needs an additional write right in the "certs" directory in order to accept certificates.

In the scope of the SecureChannel services, certificates will also be exchanged, when the security setting is set to None. This means, a certificate is always exchanged, even if the user is working without a security setting. The certificate of the server must be accepted by the user manually on the client if this is not known there yet.

However, a validation of the certificates does not take place. This procedure is carried out automatically by the communication stack or SDK.

Create Client / Server Certificate

The WinCC OA panel for certificate handling provides the creation of self signed client /server certificates. Thereby only selective clients can access the server.

If certificates are created by a CA (Certificate Authority), typically an IT administrator, these must have the preset file extensions/formats according to the OPC UA specification.

Self signed certificates contain the parameters shown in the figure below (example of a configuration).

Please note that:

All input fields must be filled.
The certificate name has to be entered without file extension.
The certificate name may not contain blanks and/or special characters (/ \ ; ? < > * | : " ').

Click on "Create Certificate" to create it. The certificate is stored in the data\opcua\client\PKI\CA\certs directory and thus it is accepted automatically.

In order to delete a certificate this must be deleted manually from the corresponding directory.

Figure: Tab for client certificate creations

Management and Formats

Server

On the WinCC OA OPC UA server the certificates are stored in the file system in the following WinCC OA installation directory:

Figure: File structure On the OPC UA server

The following table describes the intended use of the specific directories:

Directory	Description
certs	Here the files with the .der extension are stored. These files are X.509 certificates, which contain the public key.
clr	Here these certificates are stored, which should intentional be denied. These certificates were created by a CA (Certificate Authority). Example: All certificates of the CA xyz should be accepted except these from this directory.
private	Here the files with the .pem extension are stored. These files are X.509 certificates, which contain the public key, and have to be accessible only for authorized users on the file level (the IT administrator defines the corresponding access rights).
rejected	Here all rejected certificates are stored. By copying these certificates to the certs directory on the file level these become valid. These files should be accessible only for authorized users.

In the mentioned directories the certificates of the client and server are stored. The server's certificate must be named like the internal data point of the type _OPCUAPvssServer.

Client

Alike on the server the certificates on the client are also stored in the file system within the WinCC OA installation directory. The meaning and the content of the directories are the same as on the server.

In the following directories the certificates of the client(s) are stored.

Figure: File structure on the WinCC OA OPC UA client

V 3.11 SP1