Identification Type of Certificates

When you configure server or client certificates or certificates for authentication in Plant Connectivity, you can define the identification type of the certificate for some applications. This enables you to determine how you want the selected certificate to be identified by the Plant Connectivity system at runtime. The identification type is supported for the following configuration elements:

OPC UA source system
OPC UA server
Universal Web service destination system

The following options are available in the Identification Type field:

If you select the Identification By Thumbprint option, the unique thumbprint identifies the configured certificate. This is the default setting.
If you select the Identification By Subject (Allows Certificate Rotation) option, the subject of the certificate is used at runtime to select the appropriate certificate from the list of certificates in the selected storage location. If there are multiple certificates with this subject, the certificate with the latest valid-to date is used.
Note
- The system does not select a certificate that is not yet valid.
- The certificate with the latest valid-to date is selected from all certificates that are currently valid or that have possibly expired.
With this setting, the system supports certificate rotation. The certificate can be replaced at runtime without the configuration needing to be changed.

Note

Certificate rotation is not a function of Plant Connectivity. You must provide a new certificate yourself, for example, using the corresponding functions of the operating system.

During productive operation, the certificate is automatically renewed once it has expired, provided it is assigned to the same subject as the previously configured certificate. Therefore, the new certificate retains the original subject of the certificate but has a new thumbprint and typically a longer validity, that is, a later valid-to date.

Further Notes

Make sure that the trust relationship between the server and client is retained after a certificate exchange. When doing so, consider the following aspects:

If you have established the trust relationship using the certificate of a certification authority (CA) and then renew the client certificate or the server certificate that was signed by that CA, the trust relationship is preserved and you do not need to do anything.
However, if you have stored the client certificate in the trust store of the server to establish the trust relationship, you probably need to update the trust store of the server with the renewed application certificate. Conversely, this applies to a server certificate that the client must trust. The renewed server certificate may have to be stored in the client’s trust store in this case too.