Generating an OPC UA client certificate

This topic explains how to generate a client certificate using the added URI field in the certificate to establish a secure server connection from the client to the server.

  • The certificate is used for only OPC UA users only.

  • Workbench running on a PC or laptop computer.

  1. To generate a certificate, expand Station > Config > Services > PlatformServices and double-click CertManagerService
    The Certificate Management view opens.

  2. Click the New button at bottom of the view.
    The Generate Self Signed Certificate window opens.

  3. Give the certificate at least an Alias, Common Name(CN), Organization, Locality, State/Province, and Country Code.

    • Use Alias to identify this as an OPCUA certificate.

    • The Common Name(CN) becomes the Subject (also known as the Distinguished Name). For OPCUA certificate, the Common Name(CN) may be the same as the Alias.

    • Organization is the name of the company.

    • Although Locality and State/Province are not required, leaving them blank generates a warning message.

    • The two-character Country Code is required and must be a known value, such as: US, IN, CA, FR, DE, ES, etc. (refer to the ISO CODE column at countrycode.org).

    • Not Before and Not After define the period of validity for the certificate.

    • For Certificate Usage, the radio button should be set to Server.

  4. Enter the URI in the Alternate Server URI field; it should be in the format: urn:<full.computer.name>:OPCUA:NiagaraOpcUaClient and the select checkbox in the Key Usage set to Data encipherment in the certificate.
    Note:

    • The full computer name can be found in Control panel > System & Security > System; it is of the type hostname.domain or just hostname in some cases.

    • While connecting from client to server, the URI provided in the client certificate should match in the Application URI for the server. If doesn’t match the URI, it sends an error message as Bad_CertificateUriInvalid 0x80170000. The URI specified in the Application Description does not match the URI in the certificate.

  5. When you have filled in the required fields, click OK.
    The Private Key Password window opens.

  6. Enter and confirm the password, then click OK.
    The system submits the certificate for processing in the background. A pop-up window appears on your screen advising you that it may take time to generate the certificate. The length of time it takes depends on the key size and the platform’s processing capability. When created, the certificate appears as a row in the User Key Store table.
  7. To configure the certificate, open the device’s Property Sheet by right-clicking on OpcUaDevice followed by clicking View > Property Sheet.
    The Property Sheet view opens.

  8. Expand Security Certificate property, select the certificate from the Alias drop-down menu, enter the Password and click Save.