OPC UA secure¶
OPC UA uses mutual authentication, which means that both partners must have their own certificate and know the other’s certificate, before being able to establish a connection!
Create a new certificate in your OPC UA client.
Note
Ensure the PLC clock is set to the current time and date when using certificates on the PLC. Otherwise the certificate cannot be used to secure a protocol (see also AC500_Battery: AC500 Battery SNTP Client Configuration).
Import that certificate to the Trusted Certificates in your PLC using the Security Screen.
Import a certificate for the OPC UA server on the PLC or create a self-signed certificate.
Export that cert to the PC and provide it as a trusted certificate to your OPC UA client.
Reboot the PLC and check that it is in RUN and both certificates are on the PLC (via the Security Screen).
Add the PLC as OPC UA server in your OPC UA client.
Connect to the OPC UA Server.
- ⇒
You can interact normal with the UA server.
Note
In case you are using a self-signed certificate, you will see some warning message (depending on the OPC UA client).
If you are aware of the risks of self-signed certificates, this can be ignored.
Note
The certificate warnings will only go away when using a certificate from a trusted certification authority or a certificate derived from this by an intermediate certification authority (e.g. a company CA).
That process is done via PLCShell command “cert-createcsr”, then getting the file from the PLC via the filebrowser tab in “cert/export” and getting that signing request turned into a real certificate by a certification authority.
Import the certificate generated by your certification authority using the security screen.