Certificates and keys

You can set the public certificate and private key of the server or client in the OPC UA server and OPC UA client objects.

Certificates lifecycle

The certificates released by an application are self-signed and must be installed with the trusted certificates on the server and on the client to allow communication. The communication is interrupted when the certificate is removed from the trusted list.

You can install the CA certificate separately from the trusted certificates. To exclude a certificate issued by a CA, include the certificate in the CA CRL.
Attention: Each CA certificate must include the corresponding CRL to verify the certificate of an application.

Certificates and the CRLs must comply with the X.509v3 standard with DER binary coding (DER files).

For each certificate, there is a private key and Base64 ASCII encoding (a PEM file).

All of the valid security policies require the signature of certificates with the SHA-256 algorithm with RSA encryption (2048, 3072, or 4096). The two deprecated policies (Basic128Rsa15 and Basic256) require the certificate to be signed with the SHA1 algorithm with RSA encryption (1024 or 2048).

If these elements are absent, when FactoryTalk Optix Studio generates an FTOptixApplication server, it also generates a public certificate and the corresponding private key of the server.
Important: The client and server public certificates must be trusted by the client and server.

Certificates import

At design time, if you have your own certificates or certificates of other clients or servers in the field, you can import them into FactoryTalk Optix Studio to make them trusted. For more information, see Configure the trusted certificates at design time. When an OPC UA client connects to an OPC UA server, a dialog box displays information about the server certificate. Select trust the server certificate or reject the server certificate.
Tip: You can generate certificates for your own application in FactoryTalk Optix Studio. For more information, see Create a certificate.
If the certificates of other clients or servers are not available at design time, you can import them into the project at runtime. The certificates are trusted at runtime when the link between the server and the client is established. For more information, see Configure the trusted certificates at runtime.
Tip: The name of the copied certificate is a string composed of its Common Name (CN) and thumbprint signature.

Certificates and keys in OPC UA

To identify the participants in a communication and to verify the authenticity and confidentiality of the exchanged messages, every OPC UA application, including client and server, must have a public certificate that is an Application Instance Interface and a public key/private key pair.

The public key is distributed with the certificate. The private key is not disclosed.

  • Private key file. Signs messages to send and decrypts received messages.

  • Public key file. Verifies signatures of the received messages and encrypts sent messages.