Setting up certificate based authentication

Certificate-based authentication is a technique that allows one machine to securely identify itself to another across a network connection, using a certificate called a public-key certificate.

  • You need to have CA and Intermediate certificates, or a self-signed certificate to use in this procedure. Refer to the “Generating an OPC UA Client Certificates” for instructions.

  • Niagara 4.14 or later version is required to support the latest client certificate authentication in the OpcUa Server driver.

Using Signed Certificates

  1. Import the CA and Intermediate certificates into the User Trust Store of the station’s CertManagerService and the User Trust Store of Workbench.
  2. Create a client certificate in the station’s CertManagerService and sign the client certificate by any one of the CA or Intermediate certificates.
  3. Export public key and private key of the client certificate.
  4. For further communication with the server, send the public key and private key file to client. By default, the public key is in PEM format. The client needs to convert the public key into the required format by using openssl command and use that certificate as the user identity credential.

Using Trusted Self-Signed Certificates

  1. Import the client certificate into the User Trust Store of the station’s CertManagerService.
  2. Create a connection from the client using that certificate as the user identity credential.

Using Self-Signed Certificates from an allowed host

  1. Attempt a connection from the client using a certificate as the user identity credential.
  2. Approve the certificate exemption from host in the Allowed Hosts section of the station’s CertManagerService.
  3. Ping the server from the device again to establish connection.