A certificate is a digitally signed data structure that describes capabilities of a Client or Server.
The OPC UA certificate handling allows
Open the certificate handling with a click in OPC UA Certificate in the Driver tab of the system management. Note For the correct working of the view of certificate information and the creation of certificates, the command openssl must be in the path (system PATH environment variable). Accept CertificatesOn the server it is possible to decide whether
a client certificate should be accepted or not. From technical point of view a certificate, which should be accepted, is moved from the "rejected" directory to the "certs" directory. For the meaning of the specific directories see Management and Formats. ETM certificates for client and server are delivered with WinCC OA: - PVSS_UA_defaultclient.der, PVSS_UA_server.der, PVSS_UA_server.pem and PVSS_UA_defaultclient.pem; - Version 3.11 and greater: WinCC_OA_UA_Client.der, WinCC_OA_UA_Server.der, WinCC_OA_UA_server.pem and WinCC_OA_UA_Client.pem. These can be found in the WinCC OA installation directory under \data\opcua\client\PKI\CA\ in the corresponding directories (see Management and Formats).
Figure: "Accept Certificates" tab In the list on the left all certificates are
shown, which are not accepted. These can be found in the "rejected"
directory. For moving the certificates from one list (or directory) to the other, select the specific certificate and use the buttons (reject certificate) and (accept certificate) to move it. Note When a certificate is moved from the "Accepted" list to the "Not Accepted" list afterwards the OPC UA Client has to be restarted. Otherwise the client is still connected to the old server. If a certificate is accepted, the certificate details are displayed in the bottom of the panel ("Certificate Details"). The client and the server check the certificates of their partners and store them in an separate "rejected" directory, if they are unknown. For example if the client does not know the server, this stores a certificate file in the client/PKI/CA/rejected directory. As well as for the client as for the server the location of the certificate directory can be changed with the certificateStore config entry. Note Both client and server must have write rights to the "rejected" directory. The user interface needs an additional write right in the "certs" directory in order to accept certificates. In the scope of the SecureChannel services, certificates will also be exchanged, when the security setting is set to None. This means, a certificate is always exchanged, even if the user is working without a security setting. The certificate of the server must be accepted by the user manually on the client if this is not known there yet. However, a validation of the certificates does not take place. This procedure is carried out automatically by the communication stack or SDK. Create Client / Server CertificateThe WinCC OA panel for certificate handling provides the creation of self signed client /server certificates. Thereby only selective clients can access the server. If certificates are created by a CA (Certificate Authority), typically an IT administrator, these must have the preset file extensions/formats according to the OPC UA specification. Self signed certificates contain the parameters shown in the figure below (example of a configuration). Please note that:
Click on "Create Certificate" to create it. The certificate is stored in the data\opcua\client\PKI\CA\certs directory and thus it is accepted automatically. In order to delete a certificate this must be deleted manually from the corresponding directory.
Figure: Tab for client certificate creations Management and FormatsServerOn the WinCC OA OPC UA server the certificates are stored in the file system in the following WinCC OA installation directory:
Figure: File structure On the OPC UA server The following table describes the intended use of the specific directories:
In the mentioned directories the certificates of the client and server are stored. The server's certificate must be named like the internal data point of the type _OPCUAPvssServer. ClientAlike on the server the certificates on the client are also stored in the file system within the WinCC OA installation directory. The meaning and the content of the directories are the same as on the server. In the following directories the certificates of the client(s) are stored.
Figure: File structure on the WinCC OA OPC UA client |
V 3.11 SP1
Copyright ETM professional control GmbH 2013 All Rights Reserved