Skip to main content
Version: 8.1

OPC UA Security

On the OPC UA security page you can manage OPC UA certificates for the client and server. Trusted certificates can be imported and quarantined certificates can be marked as trusted.

The OPC UA pages in located under the Gateway's Config section, under OPC UA:

OPC UA Security Section Gateway Config

Client and Server Tabs​

Both the Client and Server tabs allow you to view OPC UA security certificates. The Client tab contains certificates the gateway uses when acting as a OPC UA client, while the Server tab contains certificates the Gateway uses when acting as an OPC UA server. Both tabs have the same options in regards to managing certificates.

Upload a Trusted Certificate​

The steps for uploading trusted certificates are the same whether you're on the Client tab or the Server tab. To upload a trusted Certificate, do the following.

  1. On the Gateway Webpage, select OPC UA > Security.

  2. Click the Client tab or Server tab, depending on the what certificate you're uploading.

  3. Click the Browse button.

  4. Navigate to the location of of certificate on your system and click Open. (Alternatively, you can drag the certificate file onto the page where it says "Drag files here.")

  5. If the upload was successful, you'll see the name of the certificate and the message "Upload Successful!" The certificate will appear in the Trusted Certificates list.

    Upload a Trusted Certificate Step 5

Download a Trusted Certificate​

To download a trusted certificate, do the following.

  1. Next to the certificate name, click the Download Download Icon icon.
  2. The certificate is downloaded to your system by your web browser.

Delete a Trusted Certificate​

To delete a trusted certificate, do the following.

  1. Next to the certificate name, click the Delete action button.
  2. The certificate is deleted.

To view more information about a trusted certificate, click the More Info More Info Icon icon.

Delete Trusted Certificate

OPC UA Security Page Details​

Trusted Certificates​

Column NameDescription
Common NameName of the certificate.
SHA-1 FingerprintThe SHA-1 (Secure Hash Algorithm 1) fingerprint is the unique identifier of the certificate.
ExpirationDate the certificate will expire.

Additional Information​

Column NameDescription
CNCommon Name
OOrganization, usually the legal incorporated name of a company.
OUOrganizational Unit
LLocality (Town or City)
STState
CCountry, the two-letter ISO code for the country where the organization is located.

Quarantined Certificates​

If you import a certificate that is not trusted, it will appear on the Quarantined Certificates list. From here you can view the details by clicking the More Info More Info Icon icon, Trust the certificate, or Delete it.

Quarantined Certificate

Certificates Tab​

New in 8.1.0

The Certificates tab shows the trusted certificates for the OPC UA client and server on the gateway. From this tab the certificates can be examined by clicking the More Info More Info Icon icon. The certificates can be downloaded by clicking the Download button. This will perform the same action as downloading a certificate from the Client tab as described above.

Certificates Tab

Clicking the Regenerate button for each certificate will create a new certificate.

Regenerate Current Certificates​

All certificates have a definitive live span. For example, the default life span for an Ignition-generated OPC UA certificate is three years. Any OPC UA connection, even the default loopback connection to Ignition's own server, will stop working if the certificate expires or is invalid.

Regenerating the certificates creates a new certificate with an expiration date set for three years later. If your private key is somehow compromised, regenerating a Client or Server certificate also ensures that the private key will no longer work with the Ignition Gateway.

Newly regenerated certificates are automatically trusted by the Gateway issuing them.

Note that regenerating a server certificate will require that the OPC UA module is restarted.

New in 8.1.8
Regenerating a client certificate will allow you to specify the duration of the new certificate. In addition, regenerating a server certificate will allow you to specify the duration as well as the DNS names and IP addresses to be included in the Subject Alternate Name (SAN) fields.

Regenerate Current Certificates