Geo SCADA Knowledge Base
Access vast amounts of technical know-how and pro tips from our community of Geo SCADA experts.
Link copied. Please paste this link to share this article on your social media post.
Originally published on Geo SCADA Knowledge Base by AdamWoodland | April 29, 2024 09:26 AM
Creation of a valid server certificate for an OPC UA server is a very similar to the process for creating a new certificate for a web servers, however the OPC UA certificate requires some additional information within the certificate signing request (CSR) to be included within the certificate "Alternative Name" section under URL. For general details on how to create the CSR using Windows Certificate Manager as a custom request, refer to third party websites such as https://knowledge.digicert.com/solution/generate-a-csr-via-mmc-certificate-snap-in-using-windows as relevant for your version of Windows.
Within the CSR process when creating a custom request, while entering the certificate's properties under the alternative name section select URL and add "urn:server" where "server" is the machine's domain name and/or IP addresses that hosts the certificate. See below for an example request field (without all the other mandatory fields such as country, organisation, etc) of a server called "testserver" and an IP address of 192.168.0.1 with the mandatory URL fields. The URL entry fields do not need to match 1-to-1 with the configured common name (CN) or any IP addresses in the certificate, you should ensure that the URL fields include any access method that the OPC UA client will use so the certificate is valid, and this means you may need to add multiple URL entries.
When the certificate is generated from the request and loaded back into Certificate Manager, it should now contain the necessary information allowing the certificate to be loaded into Geo SCADA as the OPC UA server certificate.
The generated certificate can also be used within IIS as a web site certificate, assuming the necessary fields are valid for that too.
For the client to trust the generated certificate ensure that the client also has the necessary root and intermediate CA certificates installed that were used to generate the server certificate.
Your organisation or the issuer of the server certificate may have specific guidance on what other fields are necessary to include within the CSR.
Generating the CSR via Certificate Manager's "Create Custom Request" should create a certificate with the necessary properties, on top of the URL info required above. However should the certificate still not be valid the following are the full requirements of the server certificate:
Link copied. Please paste this link to share this article on your social media post.
Create your free account or log in to subscribe to the forum - and gain access to more than 10,000+ support articles along with insights from experts and peers.