We’re having an issue with connecting our Ignition OPCUA client to a WAGO PFC200 FW29 unit. PLC has self-signed OPCUA/security certs & are valid.
Initially it was discovered that the OPCUA Client certificate was expired, but a new client certificate was created.
We can connect to the WAGO OPCUA server without encryption
We can also connect with encryption via UAExpert.
Error we’re getting is from ignition OPCUA logs:
Exception caught: UaException: status=Bad_CertificateUseNotAllowed, message=required KeyUsage 'keyCertSign' not found
A few observations:
When moving the new client certificate from “Quarantined” to “Trusted” in the OPCUA server, the old, expired ignition client certificate is still popping up in quarantine even after rebooting the PLC/OPCUA server. However this expired cert is still being utilized by other OPCservers so it can’t be deleted.
Can anyone provide any insight as to what I’m missing here?
My guesses currently:
Gateway needs reboot.
OPCUA module needs reboot.
There can only be one client certificate & without reboot the module is pushing both certs to server but prioritizing the old cert. I suspect we’ll have to manually trust the new certificate after reboot for all of the other OPCservers.
OR something is funky with Ignition & this flavor of WAGO PFC200
The OPC UA specification dictates how certificates have to be constructed, and a certain range of Ignition versions strictly enforces the specification. Various newer versions of Ignition include some leniency for broken OPC servers, like your Wago device.
You should set up a test Ignition server with the latest v8.1.x and see if you get the same error.
I'd be looking to see if there are any firmware updates for the WAGO or if you have any control or ability to generate your own certificate. It sounds like the certificate they are generating is not a completely valid OPC UA application instance certificate.
There can only be one client certificate & without reboot the module is pushing both certs to server but prioritizing the old cert. I suspect we’ll have to manually trust the new certificate after reboot for all of the other OPCservers.
Yes, there can only be one certificate for Ignition's OPC UA client. I'm not sure how the Ignition client would be using two different certs to connect to the server. How did you create the new certificate? After regenerating the certificate via the Ignition gateway page, it should use only the new certificate. If two client certificates are appearing on the WAGO OPC UA server, maybe there is another client connecting that you weren't aware of? That being said, 8.1.34 is well before my time at IA, so there may be some behavior I'm not aware of.
Just saw that Kevin responded before I finished typing this. His response focuses more on the OPC UA server's certificate. Which certificate expired, and which one did you try to replace? The certificate that the Ignition OPC UA client uses when connecting to a server, the certificate the WAGO OPC UA server presents to the Ignition client, or something else?
Screenshots may help illustrate what you are seeing.
Maybe it's just a weird red herring, I'm not familiar enough to say. But, I would only expect different URLs for different clients. You are grabbing both of these certificates from the WAGO OPC UA server, right? Have you tried comparing them with the certificate on the gateway:
