Ignition opc ua server certificate

Hi all,
in version 7 under OPC-UA/Certificates it was possible to regenerate and download the Ignition opc ua server certificate.
In version 8 I cannot find how to do it: under OPC UA/Security there is only delete and download. I tried to delete the certificate and restart the opc ua module, but the certificate remained the same.

How can I regenerate the opc ua server certificate?

Thank you

1 Like

You can delete the KeyStore file at $IGNITION/data/opcua/server/security/certificates.pfx and restart the server. The same would apply for the client certificate (at ../opcua/client/..).

We do intend by build a new cert management UI but it hasn’t been prioritized.

1 Like

I thought the Delete button would do the same thing… Now it works.
Thank you.

The delete button you were using was deleting a certificate from the client or server list of trusted certificates.

I see the solution provided. But my question was also how long will the certificate be valid when the system creates a new one?

Newly generated certificates are valid for 3 years. There is no way to change this right now, but it’s technically possible (though difficult) to generate your own self-signed or CA-signed server certificate and use that instead.

When we get the certificate management UI built that allows for regenerating the certificates in the gateway rather than by deleting the keystore file we should be able to allow for a few configuration options as well.

So allright, the certificates are valid for three years… Okay.
But what will happen with the system (internally) if the certificates are outdated? Anything stops working?
Do the internal OPC-client/server use these certificates, since they are in the trusted certificates area?

Like any other X509 certificate, whether it’s an SSL certificate for a web server or the certificate for the OPC UA client and server, they will need to be periodically re-generated or re-signed.

This will be easier once we have a UI built for it and it will also allow you to set a much longer validity period if you want to avoid dealing with this.

In the future the centralized management of the various certificates used by Ignition (SSL, GAN, OPC UA) might be something the EAM module handles.

Edit: if you modify the internal “loop back” client/server connection to use no security and anonymous access the certificates will not be used and their eventual expiration will not matter. Enabling unsecured connections and anonymous access may or may not be a good idea depending on whether the server is configured to bind only to the loop back adapter (the default configuration in 8.0) or if it’s on a network where other clients might connect.

Hi, estimate when or which version will have the function to set the validity of the certificate?
I currently using Version 8.1.4, my client request to increase the validity of the certificate.

Besides that, I tested there is no requirement from 3rd party OPC UA client certificate to be imported to the Ignition OPC UA server.
In the future, will this security function be implemented which only allows the OPC UA client that has the certificate in the OPC UA server list to connect?

This was implemented recently and will be available when 8.1.7 is released.

All versions since 8.0 have required that a client certificate be trusted unless you have enabled the “None” SecurityPolicy and the client is using that when connecting.

Thanks for the reply.
8.1.7 is released and marked as stable, will try that out.

Yes, the client needs to trust the certificate to enable the connection.
But I mean is beside the client needs to trust the certificate, the client certificate is required to import to OPC UA server.
As for the current ignition, there is no needed client certificate.

The 8.1.7 out now was an “emergency” release that included only one serious regression fix. The change I mentioned will now be in 8.1.8.

I’m afraid I don’t understand what you’re talking about re: certificates, so maybe you can explain it in more detail.

Well noted on the version 8.1.8.

Example, I using UAexpert OPCUA client to connect to Ignition OPC UA Server.
First I need to use UAexpert to generate the UAexpert OPCUA client certificate, then upload it to the Ignition server security trusted certificate. Ignition OPCUA server only allows the client in the Server security trusted certificate list to connect.
Which mean other OPC UA client even have the login user and password also unable to connect.
Is this possible?

Yes, it currently works like that, except you can also find the client certificate once it has attempted to connect in the “quarantine” area and just mark it trusted instead of having to export the certificate from the client software and import it into Ignition.

If you’re looking to disable the requirement that client certificates are trusted then no, that’s not possible, aside from allowing unsecured connections all together by adding the “None” SecurityPolicy to Ignition’s OPC UA server config.

1 Like