Generate and Assign a Self-Signed Certificate

The Generate and Assign Application Certificate icon is available for the following objects:

OPC UA source system

You can choose this option in the application certificate screen area on the Security tab for the OPC UA source system. You can then set the parameters for certificate generation in the Generate Self-Signed OPC UA Client Certificate From Defaults dialog box that appears. The generated certificate is assigned automatically to the OPC UA source system as an application certificate. (See also: Application Certificate for OPC UA Source Systems.)
OPC UA server

You can choose this option in the application certificate screen area on the Security Configuration tab. You can set the parameters for certificate generation in the Generate Self-Signed OPC UA Server Certificate From Defaults dialog box that appears. The generated certificate is assigned automatically to the OPC UA source system as an application certificate.

Mandatory Subject Components

This screen area contains the mandatory fields for generation of the certificate. Each certificate has an attribute subject of type X.509DistinguishedName in which the entity to which the certificate is assigned is described in more detail.

Define Mandatory Attributes
Field	Description
Common Name (CN=)	You enter the common name for the certificate here. In the case of OPC UA source systems, CN= is prefilled with the value SAP PCo OPC UA client <name of the source system> and in the case of OPC UA servers with the value SAP PCo OPC UA client <name of the agent instance>. Note The abbreviation CN= is generated automatically. Do not enter this.
Organization (O=)	Enter a name here that describes the organization that operates the application, for example, the name of the company. You must make an entry here in order to comply with the OPC UA specification. Note The abbreviation O= and all the other abbreviations below are generated automatically. Do not enter this.

Optional Subject Components

This screen area contains additional fields with attributes that you can fill or leave empty.

Define Optional Attributes
Field	Description
Locality (L=)	Freely definable
Country (C=)	Enter, for example, DE for Germany. A valid two-character country code is expected.
Organizational Unit (OU=)	Freely definable
Domain Component (DC=)	Enter the host name or the fully qualified host name of the computer here.
State or Province (S=)	Freely definable
Friendly Name	A name of your choice that you can assign to the certificate. The friendly name can, for example, make it easier to recognize the certificate (for example, in the certificate store). There is a separate column for this in the selection dialog for certificates.

Technical Settings

Define Technical Settings
Field	Description
Key Size (bit)	Specifies the size of the private key. 2048 bit is the default value.
Valid From Today Until	You define the validity end date of the certificate here. The default validity is one year.

Microsoft Certificate Store

Settings for the Microsoft Certificate Store
Field	Description
Certificate Store	The certificates are always stored as application certificates with a private key in the Microsoft certificate store. You can decide whether you want to store the certificate in the private user area or in the machine-specific storage area: Current user Local computer
Certificate Folder	You can select the folder here: Personal UA Applications UA Machine Default
Private Key Is Exportable	If you select this checkbox, the certificate and the private key can be exported. If you do not select this checkbox, you cannot save the certificate with the private key outside the Microsoft certificate store. The advantage of this setting is greater security because the key cannot be stolen and therefore cannot be used on another device. The disadvantage is that you cannot make a backup of the private key. If the computer is defective, for example, you have to generate new certificates and also set up new trust relationships for the certificates.

Alternative Names

For OPC UA servers, the computer on which the server is running must be specified in the application certificate. The preferred method is to provide a DNS name or an IP address in the Alternative Names screen area. For certificate generation for OPC UA servers in PCo, you must therefore either enter the DNS or the IP address. Otherwise the certificate cannot be generated. You can enter one or more DNS names or IP addresses here that need to match the endpoints of the server. The fields can include lists that are separated by commas.

Settings for Alternative Names
Field	Description
DNS	You enter the name or names for the domain name system here. For OPC UA servers, the default value for the domain name is the current computer name.
IP Address	Enter the IP address(es) of your computer here if you are using the IP address for the endpoint definition of an OPC UA server. It must match with the endpoint of the server. The IP address is the unique identification characteristic of a computer that defines its location in the Internet.