Security Certificates
A security certificate, also known as a digital certificate, is used to provide trust between connections. Trusted certificates establish the identity, authenticity and reliability of incoming and outgoing traffic.
The Ignition platform uses Secure Sockets Layer/Transport Layer Security (SSL/TLS), which requires certificates in multiple features. The purpose and type of certificate determine how the certificate is installed and where it is stored within Ignition. It is important to know where certificates are needed and what their purpose is to make sure all requirements are met. For example, the Gateway Network and OPC UA security both impact client and server connections, but because the Gateway Network connections are between local and remote gateways and OPC UA connections are between devices, the process for adding and trusting certificates is different.
The following is a list of locations where certificates are required, and a link pointing to a page containing the general security purpose, settings, and certificate management properties.
Gateway:
Acting as a client, see Adding Security Certificates into KeyStores below.
Types of Certificates​
It may be helpful to understand the different types of certificate Ignition can use if you are new to certificates.
SSL Certificates​
SSL certificates allow systems to verify identity and establish an encrypted network connection to another system using SSL/TLS protocols. There are two types of signed SSL Certificates, self-signed certificates and trusted certificate authority (CA) certificates.
Self signed certificates are generated internally for free.
Trusted CA certificates are signed by a trusted certificate authority
- Ignition supports CA certificates from your organization's internal CA or any publicly trusted certificate authority.
Both signed certificates offer encryption, but without the signature of a trusted certificate authority, warning messages will appear for self-signed certificates that are not trusted.
Since SSL/TLS requires the installation of a security certificate, both the Gateway Network and the Web Server can use self-signed certificates if CA certificates are not yet available or needed, such as during testing. It is important to note that although the functionality of certificates installed on the Gateway Network and Gateway Web Server are similar, they must be treated separately because settings made on one page on the Gateway do not apply to the other, even the case of shared ports.
OPC UA Certificates​
UA security contains authentication and authorization as well as encryption and data integrity by signing. Security is integral to UA and OPC UA protocols are a hybrid variant of TLS, using binary encoding and HTTPS for transport. The Ignition platform inherently offers OPC UA client functionality and the Gateway can connect to any compliant OPC UA server.
Adding Security Certificates into KeyStores​
In some cases when the Gateway is acting as a client, you may need to provide supplemental security certificates so the Gateway can communicate with other systems, such as databases or devices elsewhere on the network. These supplemental certificates can be added to a Gateway by simply placing them in the following directory on the Gateway's file system:
%gateway installation directory%data/certificates/supplemental
Once added, you will need to restart the Gateway before the certificates will be used.
Supported formats are DER encoded binary X.509, and Base-64 encoded X.509 (PEM-encoded ASCII).