Certificate validation

A certificate is an electronic document used to prove the ownership of a public key. It contains information about the Certificate Authority (CA) who issues the certificate, the expiration date, public key, subject of the certificate, signature and algorithm.
When an
OPC
 UA client makes connection with
FactoryTalk Linx Gateway
, the certificates from both sides need to be trusted separately so that the connection can be established successfully.
The process of validating the certificates
  1. An
    OPC
     UA client sends a request to establish a connection with the
    FactoryTalk Linx Gateway
    .
  2. FactoryTalk Linx Gateway
     presents its certificate to the
    OPC
     UA client.
    TIP:
    The certificate includes a public key for data signing, encryption, and decryption.
  3. The
    OPC
     UA client validates the certificate and select to trust it. For example:
    Certificate Validation
    OPC UA Client
    TIP:
    • Different OPC UA clients use different approaches to trust the
      FactoryTalk Linx Gateway
       certificate. See the associated help documentation for more information.
    • The user can replace the self-signed
      FactoryTalk Linx Gateway
       certificate in
      C:\ProgramData\Rockwell\FactoryTalk Linx Gateway\PKI\own
       with its own certificate.
      Make sure the certificate replacement uses the same name, format, and password.
  4. The
    OPC
     UA client presents its certificate to
    FactoryTalk Linx Gateway
    .
    Users can also manually import a certificate into
    FactoryTalk Linx Gateway
    .
  5. The
    FactoryTalk Linx Gateway
     validates the incoming
    OPC
     UA client's certificate and generates a validation log message.
    To validate the
    OPC
     UA client certificate, the
    FactoryTalk Linx Gateway
     will check below items:
    • Validate to
    • Certificate Revoke List (CRL)
    • Application URI
    • Subject Name
    • Validate from
    • Expiration Time
    • Issue to
    • Issue by
    • Certificate path
    • Issuer
    • Issuer certificate
    • Signature hash algorithm
    • Signature algorithm
      TIP:
      • Apart from the items in certificate, the
        FactoryTalk Linx Gateway
         will also check the folders
        crl
        ,
        issuer
        ,
        rejected
        ,
        trusted
         under
        C:\ProgramData\Rockwell\FactoryTalk Linx Gateway\PKI
        . This is to check if the incoming certificate has been validated before.
      • Access to Internet is not required when the
        FactoryTalk Linx Gateway
         performs certificate validation.
  6. After validation, the certificate is placed into the rejected field in
    FactoryTalk Linx Gateway
     Configuration Certificate Management tab.
    A diagnostic message "The certificate presented by the client <
    ClientName
    > is not trusted" is logged on FactoryTalk Diagnostics Log tab.
  7. Select the appropriate certificate, and then click
    Trust
     to move the certificate to the
    Trusted Certificates
    field.
    A diagnostic message "Certificate <
    CertificateName
    > is trusted by user <
    UserName
    >." is logged on FactoryTalk Diagnostics Log tab.
  8. Connection established, the
    OPC
     UA client can communicate with the
    FactoryTalk Linx Gateway
    .
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal