Configure OPC UA Certificates

Some OPC UA servers might require a certificate based authentication to establish a secured communication channel between the client and the server.

There are three different certificates involved to setup a secured OPC UA Connection.

  1. Application Certificate

    A client application (Xalt | Integration in this case) authenticates itself by providing an application certificate. In case of Xalt | Integration, the application name is 'XaltIntegration'.
    When the application is started for the first time, the application certificate will be created (if not already present) automatically.
    In a default installation, the certifcates can be found in the following folder:

    c:\ProgramData\Hexagon\EdgeFrontier\Engine\Temp\Plugins\OPCUA\pki\

    The following client application certificate should be imported on the OPC UA server's trusted storage:

    c:\ProgramData\Hexagon\EdgeFrontier\Engine\Temp\Plugins\OPCUA\pki\own\certs\XaltIntegration [ID].der

  2. Server Certificate

    To ensure that an OPC UA client application is connecting to the correct OPC UA server, the client application checks the server's certificate.
    This check happens during the establishment of a connection between the client and the server applications.
    To pass the check, the OPC UA server certificate needs to be trusted by the client application.

    For Xalt | Integration to trust the server certificate, you'll have to copy the server certificate to the following folder:

    c:\ProgramData\Hexagon\EdgeFrontier\Engine\Temp\Plugins\OPCUA\pki\trusted\certs\

  3. User Certificate

    OPC UA Server supports authenticating users based on certificates.
    The 'ConnectCertificateSession'' action in 'OPCUAClient' component can be used to setup the connection with certificate based authentication.

    When selecting a certificate file for the authentication, make sure it is in PFX format. A PFX certificate is a binary format for storing certificate, any intermediate certificates and the private key in one encrypted file.
    This file should also be imported to the OPC UA server's trusted storage.

    You can create a user certificate using tools like openssl or if you are a member of OPC Foundation, you can use their UA Certificate Generator tool.

In case if a connection cannot be established due to certificate issues, you may refer the log files for more information.
The log files for the OPCUA plugin can be found here (in a default installation):

c:\ProgramData\Hexagon\EdgeFrontier\Engine\LogFiles\Plugins\OPCUA\