Generate an OPC UA Client Certificate for Third-Party Servers

The topic describes how to generate a client certificate using scripts by running the appropriate commands in the command prompt or Git Bash to establish a secure server connection from the client to the server. To ensure compatibility with OpcUaClient implementation, automatically uses a certificate for signing purposes with the keyCertSign usage while generating the certificate.

  • OpenSSL is installed on your system so that you can use the script file from the default windows command line.

  • Niagara station is running.

  • The hostname is the full device name. To find the full device name in the Windows menu, choose Start > Settings > System > About, and in Device Specifications you can find Full device name or from a command line, type the following net config workstation, and you can find the string Full Computer name.

  1. To generate a certificate, follow the below choices.
    • If you are using windows, open the command prompt, type the following command and press Enter.
      gen-opc-client-cert.bat
    • If you are using Git Bash application, open the Git Bash prompt, type the following command and press Enter.
      ./gen-opc-client-cert.bat
    • If you are using Linux or WSL, open the command prompt, type the following command and press Enter.
      gen-opc-client-cert.sh
    Prompts should appear in the Command Prompt (Terminal or Shell) window.
  2. Follow the instructions displayed in the window, type the client hostname and press Enter.

  3. Type the certificate validity in days and press enter.
    Note: Based on requirements, you can specify duration for certificate validity.
  4. Type the destination file name in the format .\yourCertName.pem and press Enter.
  5. Type a random PEM Pass Phrase, press enter and verify the PEM Pass Phrase, press Enter.

    The PEM passphrase can be any random passphrase with sufficient strength. Use the same PEM passphrase throughout the procedure.

  6. Type the following information and press Enter after each step.

    • The two-character Country Code is required and must be a known value, such as: US, IN, CA, FR, DE, ES, etc. (refer to the ISO CODE column at countrycode.org).

    • State/Province

    • Locality Name

    • Organization Name is the name of the company.

    • Organizational Unit Name

    • Common Name(CN)

    • Email Address

    It displays Cert written to the destination and generates a certificate in the given destination file.
  7. To import the PEM certificate, open Workbench, expand Config > Services > PlatformServices, and click CertManagerService.
    1. In the Certificate Management view, click Import, browse to the destination file and enter the password, for decrypting the private key.
      The Certificate Import wizard opens.

    2. To change the existing Alias, enter the new Alias name and click OK.
      The Private Key Password window opens.

    3. Type the Password, verify the Confirm password for encrypting the private key when saving it into the key store and click OK.
    The certificate appears as a row in the User Key Store table.
  8. To configure the certificate, open the device’s Property Sheet by right-clicking on OpcUaDevice followed by clicking View > Property Sheet.
    The Property Sheet view opens.

  9. Expand the Security Certificate property, select the certificate from the Alias drop-down menu, enter the Password and click Save.
    The certificate is now available for Third-Party servers.