Just installed official release of Ignition v8.3 and I’m trying to set up OPCUA connection with another SCADA software. Is there a way to download OPC-UA server certificate from the gateway page?
In the older version of Ignition (ex. v.8.1.38), there is a ‘Download’ button to download the server certificate (Ignition OPC UA Server). But in v8.3, there is no visible download button.
v8.1.38
v8.3
Change your browser
While I will get a bug in for not being able to do it from the Certificates tab, Ignition does have to trust it's own certificates. You are able to download the needed certificates from the Client and Server tabs.
Garth
@ggross How do we regenerate an expired OPC-UA certificate in 8.3?
Hmm, I think it's supposed to be in the "meatball" menus mentioned above, but they don't seem to do anything for me.
You can always delete the keystore file on disk and then restart.
$IGNITION/data/config/resources/local/com.inductiveautomation.opcua/client-keystore$IGNITION/data/config/resources/local/com.inductiveautomation.opcua/server-keystoreThanks Kevin. We tried that but they still came back as expired Feb 2025.
I tested deleting the keystores and new certs get correctly regenerated for me on restart.
Can you confirm you deleted the keystores at $IGNITION/data/config/resources/local/com.inductiveautomation.opcua and not the certificate directories located in $IGNITION/data/config/local/com.inductiveautomation.opcua? This would just delete all previously trusted or rejected certificates and then on restart the Ignition OPC-UA client and server certs will be automatically trusted again.
Thanks very much. We weren’t deleting the resources.json file, only the keystore certificate. Deleting both works now :).
A little more effort if you haven’t already set up an API Key but there are also endpoints for certificate management that you could use, including one for regenerating certificates. The plus side is this wouldn’t require a gateway restart to take affect and might be useful even after the bug in the UI is fixed.
OpenApi Route: hostname:8088/openapi#tag/certificate-management
As the fix for this won't be part of 8.3.1, running the following from the browser console when logged into the Gateway will perform the noted action. The change will take effect immediately without having to restart the Gateway.
Regenerate the Ignition OPC UA Server Certificate:
var csrf;
await fetch('/data/app/session', {
method: 'get',
headers: {'Accept': 'application/json', 'Content-Type': 'application/json'},
}).then(response => response.json()).then(data => {csrf = data['csrfToken'];});
await fetch('/data/opc-ua/api/v1/server/certificate/regenerate', {
method: 'post',
body: JSON.stringify({validPeriodDays: 1095}),
headers: {'Content-Type': 'application/json', 'X-CSRF-Token': csrf}
}).then(response => response.json()).then(console.log);
Regenerate the OPC UA Client Certificate:
var csrf;
await fetch('/data/app/session', {
method: 'get',
headers: {'Accept': 'application/json', 'Content-Type': 'application/json'},
}).then(response => response.json()).then(data => {csrf = data['csrfToken'];});
await fetch('/data/opc-ua/api/v1/client/certificate/regenerate', {
method: 'post',
body: JSON.stringify({validPeriodDays: 1095}),
headers: {'Content-Type': 'application/json', 'X-CSRF-Token': csrf}
}).then(response => response.json()).then(console.log);