Security Configuration Tab

Use

On this tab, you make the settings for secure connections and user authentication for OPC UA servers.

Procedure

Application Certificate

To be able to identify the PCo system as a server to the OPC UA client and vice versa, X.509 v3 certificates are used, provided a secure connection is to be set up. In the context of OPC UA, the certificates used here are called application certificates.

You can generate and assign an application certificate for the Application Certificate field by choosing the icon Generate and Assign Application Certificate.

The Generate Self-Signed OPC UA Server Certificate From Defaults dialog box appears where you can make the settings for certificate generation. See also: Generate and Assign a Self-Signed Certificate.
Choose Change Application Certificate Assignment to select and assign another certificate in the certificate browser.
If you choose Remove Application Certificate Assignment, the assignment of the generated certificate is removed. However, the certificate remains in the Microsoft certificate store and can be selected for other OPC UA servers.
Specify the identification type for the selected application certificate. If you select the Identification by Subject option, certificate rotation is supported. (See also: Identification Type of Certificates.)
Select the Send Certificate Chain checkbox if the application certificate of the server has been signed with a root certificate and is embedded in a certificate chain. This option allows you to control whether the server should try to make this chain and send it to the client when a secure connection is being set up. In this case, the server searches recursively in specific certificate stores for the certificate with which the application certificate or the CA certificate that was found last has been signed, and then sends the certificates that it has found to the client. The client needs to retain the missing certificates for a validation. Not every OPC UA application supports the receipt of certificate chains.

Deselect the checkbox if you want to connect the OPC UA server with one of these servers. In this case, you need to make the certificate chain known to the server manually, if necessary. If you do not select the checkbox, the server only sends its application certificate.

Certificate Storage Configuration for the Application Certificate of the UA Client

The configuration for the certificate store of the OPC UA server is symmetrical to the corresponding settings of the OPC UA source system; only the roles of client and server are swapped. When the connection is set up between the OPC UA server and OPC UA client, the OPC UA server and the client exchange certificates with public keys to set up the connection.

Store for Trusted Client Certificates

Here you enter the store type and the folder you want. You can configure the store location for the certificates, which the OPC UA server is to trust, to the granularity of the server. You have the following options:

Store Type Microsoft Certificate Store

When a connection is being established, with this setting, an OPC UA server automatically searches in the Microsoft Certificate Store folder for a client certificate. You can select specific folders of the Microsoft Certificate Store here.
Store Type File System

With this option, you can specify the store location for the certificates, which the OPC UA server is to trust, in the file system. You can specify specific directories in the directory tree. In this case, a subfolder is offered by default in the directory that is usually used under MS Windows for storing all-user configurations.

Caution

This MS folder usually has the attribute Hidden. By choosing the File System setting, you define where you want the OPC UA server to search for the client certificate with a public key.

Note

This option does not copy any certificates into this store location.

You need to copy the certificates into this store location yourself. If you choose a directory in the Folder field, the directory and the subfolder certs are created for this directory. These directories are neither deleted when there is a change nor when PCo is uninstalled.

Store for Rejected Client Certificates

If an OPC UA server wants to set up a secure connection to an OPC UA client, he or she receives a certificate with a public key from the client. The server accepts this certificate if he or she regards it as trustworthy (see the previous point).

Otherwise, the certificate is stored in the store for rejected client certificates. With this setting, you can define the store location for these certificates. If the client is using a self-signed certificate, you can, after an unsuccessful connection attempt, copy the certificate from this store location to the store for trusted certificates. This establishes the trust relationship between the server and client on the PCo side. You need to make a root certificate known in another way, for example, manually.

Store for Trusted Issuer Certificates

If the application certificate of the UA client is embedded in a certificate hierarchy, the related root certificate needs to be available to be able to validate the client certificate. You need to store this root certificate in the subfolder certs of the directory that can be configured with this option.

As in the case of trusted client certificates, this directory should only be writable for system administrators if it is created in the file system. If a connection attempt is unsuccessful, however, you do not then find the root certificate in the store for rejected certificates.

Alternatively, you can store the root certificate in the store for trusted client certificates. If the client then sends a valid certificate, that is, if it has all the attributes that are envisaged by the OPC UA specification for application certificates, and all attributes have valid values, you do not need to store the client certificate in the store for trusted certificates if a valid root certificate is available.