Certificates and keys

You can set the public certificate and the private key of the server or client in the OPC UA server and OPC UA client objects.

Certificates lifecycle

The certificates released by an application are self-signed and must be installed with the trusted certificates on the server and on the client to allow communication. The communication is interrupted when the certificate is removed from the trusted list.
You can install the CA certificate separately from the trusted certificates. To exclude a certificate issued by a CA, include the certificate in the CA CRL.
ATTENTION: Each CA certificate must include the corresponding CRL to verify the certificate of an application.
Certificates and the CRLs must comply with the X.509v3 standard with DER binary coding (
DER
 files).
For each certificate, there is a private key and Base64 ASCII encoding (a
PEM
 file).
All of the valid security policies require the signature of certificates with the SHA-256 algorithm with RSA encryption (2048, 3072, or 4096). The two deprecated policies (Basic128Rsa15 and Basic256) require the certificate to be signed with the SHA1 algorithm with RSA encryption (1024 or 2048).

Certificates processing in
FactoryTalk Optix Studio

If these elements are absent, when
FactoryTalk Optix Studio
 generates a
FTOptixApplication
 server, it also generates a public certificate and the corresponding private key of the server.
IMPORTANT: To communicate securely, the client and server public certificates must be considered trusted by the client and server.
At design time, if you have your own certificates or certificates of other clients/servers in the field, you can import them into
FactoryTalk Optix Studio
 to make them trusted. For more information, seeConfigure the trusted certificates at design time.
TIP: You can generate certificates for your own application in
FactoryTalk Optix Studio
. For more information, see Create a certificate.
If the certificates of other clients/servers in the field are not available at design time, you can import them into the project. They will be trusted at runtime once the link between the server and the client is established. For more information, see Configure the trusted certificates at runtime.
TIP: The name of the copied certificate is a string composed of its Common Name (CN) and thumbprint (signature).
At design time,
FactoryTalk Optix Studio
 displays an error that the server certificate was rejected if:
  • You are using an OPC UA client to import nodes from the OPC UA server.
  • The project does not have the public certificate for the server.
You can import the certificate into the project to consider it trusted Configure the trusted certificates at design time.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.