Subscribing is a smart move!
You can subscribe to this board after you log in or create your free account.
Invite a Co-worker
Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
Link copied. Please paste this link to share this article on your social media post.
Overview
Generation of a valid server certificate for an OPC UA server is a very similar to the process for generating a new certificate for a web servers, however the OPC UA certificate requires some additional information within the certificate signing request (CSR) to be included within the certificate "Alternative Name" section under URL. For general details on how to create the CSR using Windows Certificate Manager as a custom request, refer to third party websites such as https://knowledge.digicert.com/solution/generate-a-csr-via-mmc-certificate-snap-in-using-windows as relevant for your version of Windows.
Required Configuration
Within the CSR process when creating a custom request, while entering the certificate's properties under the alternative name section select URL and add "urn:server" where "server" is the machine's domain name and/or IP addresses that hosts the certificate. See below for an example request field (without all the other mandatory fields such as country, organisation, etc) of a server called "testserver" and an IP address of 192.168.0.1 with the mandatory URL fields. The URL entry fields do not need to match 1-to-1 with the configured common name (CN) or any IP addresses in the certificate, you should ensure that the URL fields include any access method that the OPC UA client will use so the certificate is valid, and this means you may need to add multiple URL entries.
When the certificate is generated from the request and loaded back into Certificate Manager, it should now contain the necessary information allowing the certificate to be loaded into Geo SCADA as the OPC UA server certificate.
The generated certificate can also be used within IIS as a web site certificate, assuming the necessary fields are valid for that too.
For the client to trust the generated certificate ensure that the client also has the necessary root and intermediate CA certificates installed that were used to generate the server certificate.
Your organisation or the issuer of the server certificate may have specific guidance on what other fields are necessary to include within the CSR.
Additional Information
Generating the CSR via Certificate Manager's "Create Custom Request" should create a certificate with the necessary properties, on top of the URL info required above. However should the certificate still not be valid the following are the full requirements of the server certificate:
- The certificate has a private key
- The private key is exportable
- The certificate's "Enhanced Key Usage" contains "Server Authentication"
- The certificate contains a Subject Alternative Name
- The Subject Alternative Name contains a URL of the current machine (e.g. it is expected that a URL similar to "URL=urn:testserver" is specified)
- The certificate's Subject Key Identifier (SKI) and Authority Key Identifier (AKI) matches. For self-signed certificates AKI should be the same as its own SKI. Otherwise AKI should be the SKI of the issuer.
Author
Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.