Skip to main content
Version: 7.9

Replacing the Default OPC-UA Certificate

Root of Trust Secure Connection

Some OPC-UA servers or PLCs (specifically, Bedrock Automation) may support the use of signed security certificates. This prevents unauthorized access to the data hosted on the UA server, and in some cases allows the UA client to connect without using a username or password. You can replace the default security certificate that is used by Ignition when connecting as an OPC-UA client, allowing Ignition to connect to these UA servers.

This process involved is very similar to applying an SSL Certificate to Ignition's web server: download a file (a Certificate Signing Request) from the Ignition Gateway, submit the file to an entity that will sign it, and then upload a signed certificate back into the Ignition Gateway. This extra layer makes connecting to the OPC Server very secure.

This process involved is very similar to applying an SSL Certificate to Ignition's web server: download a file (a Certificate Signing Request) from the Ignition Gateway, submit the file to an entity that will sign it, and then upload a signed certificate back into the Ignition Gateway. This extra layer makes connecting to the OPC Server very secure.

How to Replace Ignition's Default UA Client Certificate

  1. Go to the Configure section Gateway Webpage and click on the link for the OPC-UA Server > Certificates page.
    ""

  2. Click on the Import/Export tab.
    ""

  3. Click on the 'Click here to export a CSR' link to generate the Certificate Signing Request (CSR) file.

  4. Now that you have the CSR, you will need to send the file off to be signed. Who you send the file to differs depending on the UA server you are trying to have Ignition connect to. For example, if using the built-in OPC-UA server on a Bedrock Automation PLC, then you can submit the CSR to Bedrock. Always consult the UA server's documentation for recommendations on who to send the CSR to.

    This step may take some time, as the entity you sent your CSR to will need to process the request, and generate a unique Signed Certificate.

  5. Once processed, the entity that processed your CSR will respond with a Signed Certificate. Again, on the OPC-UA Server > Certificates page, import the Signed Certificate by using the Browse button.

  6. Click the Import button. After uploaded, you will see a confirmation at the top of the page stating that the file was uploaded successfully.

  7. With the new certificate, you can now create an OPC-UA connection to the UA server.

Last updated on by ia-sshamgar