Skip to end of metadata
Go to start of metadata


On the OPC UA security page you can manage OPC UA certificates for the client and server. Trusted certificates can be imported and quarantined certificates can be marked as trusted. 



On this page ...

Trusted Certificates on the Client

When viewing the Client tab, you’re viewing the certificates trusted by the Gateway, as a UA client. In the screenshot below, you can see that this client trusts the certificate named "Ignition OPC UA Server."


Trusted Certificates on the Server

When viewing the Server tab, you’re viewing the certificates trusted by the server, meaning the Gateway's OPC UA server. In the screenshot below, you can see that this server trusts the certificate named "Ignition OPC UA Client."


Upload a Trusted Certificate 

The steps for uploading trusted certificates are the same whether you're on the Client tab or the Server tab.  To upload a trusted Certificate, do the following.

  1. On the Gateway Webpage, select OPC UA > Security.
  2. Click the Client tab or Server tab, depending on the what certificate you're uploading.
  3. Click the Browse button.
  4. Navigate to the location of of certificate on your system and click Open. (Alternatively, you can drag the certificate file onto the page where it says "Drag files here.")
  5. If the upload was successful, you'll see the name of the certificate and the message "Upload Successful!" The certificate will appear in the Trusted Certificates list.


Download a Trusted Certificate

To download a trusted certificate, do the following.

  1. Next to the certificate name, click the Download  icon.
  2. The certificate is downloaded to your system by your web browser. 

Delete a Trusted Certificate 

To delete a trusted certificate, do the following.

  1. Next to the certificate name, click the Delete action button.
  2. The certificate is deleted. 

To view more information about a trusted certificate, click the More Info  icon. 

OPC UA Security Page Details

Trusted Certificates
Common NameName of the certificate.
SHA-1 Fingerprint

The SHA-1 (Secure Hash Algorithm 1) fingerprint is the unique identifier of the certificate.

ExpirationDate the certificate will expire.
Additional Information
CCommon Name
OOrganization, usually the legal incorporated name of a company.
OUOrganizational Unit
LLocality (Town or City)
STState
CCountry, the two-letter ISO code for the country where the organization is located (i.e., CA for California).


Quarantined Certificates

If you import a certificate that is not trusted, it will appear on the Quarantined Certificates list. 

Accept a Quarantined Certificate 

To accept a quarantined certificate, do the following:

  1. Next to the certificate name, click the Trust action button.
  2. The certificate is accepted and will appear in the Trusted Certificates list. 


This feature is new in Ignition version 8.1.0
Click here to check out the other new features

Download Current Certificates

You can download a certificate for the OPC UA client that's currently running on your Gateway as follows:

  1. On the Gateway Webpage, go to the Config tab and select OPC UA > Security.
  2. Click the Certificates tab. You'll see the current Client and Server certificates.
  3. To download a current certificate, click the Download button. In this example, we download a client certificate. 
  4. The certificate is downloaded to your system. 




This feature is new in Ignition version 8.1.0
Click here to check out the other new features

Regenerate Current Certificates

All SSL certificates have a definitive live span. For example, the default life span for an Ignition-generated OPC UA certificate is three years. The limited lifespan helps ensure that certificates keep up with the latest security standards. Regenerating the certificates resets the expiration date to extend it another three years with an entirely new certificate. If your private key is somehow compromised, regenerating a Client or Server certificate ensures that the private key will no longer work with the Ignition Gateway. 

Newly regenerated certificates are automatically trusted by the Gateway issuing them. 

Regenerate a Client Certificate

  1. On the Gateway Webpage, go to the Config tab and select OPC UA > Security.
  2. Click the Certificates tab. You'll see the current Client and Server certificates.
  3. Next to the client certificate you want to regenerate, click the Regenerate button. 



  4. You will see a confirmation message. Click Yes to regenerate the certificate.



  5. You must disconnect and reconnect all OPC clients for this to take effect. Go to the Config.
    On the Gateway Webpage, go to the Config tab and select OPC Client > OPC Connections.
  6. Click the Edit button for the OPC Client you want to restart.



  7. Click Save.  The Client is restarted. 

Regenerate a Server Certificate

  1. On the Gateway Webpage, go to the Config tab and select OPC UA > Security.
  2. Click the Certificates tab. You'll see the current Client and Server certificates.
  3. Next to the server certificate you want to regenerate, click the Regenerate button. 



  4. You will see a confirmation message. Click Yes to regenerate the server certificate.



  5. To restart the OPC UA module, go to the Config tab and select System > Modules.
  6. Scroll down to the OPC-UA module and click Restart




  • No labels