OPC-UA Certificates, where Ignition acts as a OPC-UA Client

Andre_Hennecke · March 27, 2026, 12:51pm

Hi,

we want to connect to OCP-UA Servers with a CA signed certificate and have the following challenges:

There is no UIinterface to upload these kind of certificates (Ignition 8.3.4). There is an interface on the Server and Client tab, but it seems that they are mainly for the Ignition OPC-UA Server or the certificates which we get from OPC-UA Clients. Is this correct?
The OPC-UA modul crashs when we import the certificate chain (p7b) and the .crt file to the keystore. Is there a specific format required?

Thank you for your help!

Kevin.Herron · March 27, 2026, 1:06pm

By this, you mean that the Servers are all using CA-signed certificates, and you want to configure that CA-signed certificate as trusted in Ignition so that all Client connections to those Servers are automatically trusted on the Ignition side?

Or do you mean something else?

Andre_Hennecke · March 27, 2026, 2:09pm

Yes,

we connect via Ignition to other OPC-UA servers
The other OPC-UA servers have CA-signed certificates
We also have the CA-signed certificates and want to configure Ignition, so the OPC-UA Client auto trust our connection

Kevin.Herron · March 27, 2026, 2:25pm

All that should really be needed is to import the CA certificate on the Client tab of the OPC UA Security page:

It expects DER-encoded certificates.

Andre_Hennecke · March 27, 2026, 2:43pm

The DER certificate is accepted by Ignition. Are there any ways to debug the connection.
We still get the following error:

UaException: status=Bad_SecurityChecksFailed, message=Could not verify security on OpenSecureChannel request.

And the connection toggles between connected and Faulted and eventually keeps Faulted.

Kevin.Herron · March 27, 2026, 2:46pm

Can you upload your full log files? First step is to figure out which side is rejecting the connection.

Andre_Hennecke · March 27, 2026, 7:48pm

There isn’t much in the logs. I guess this is the relevant part:

2026-03-27 20:32:08:075 milo-netty-event-loop-8
Sent OpenSecureChannelRequest (Issue, id=0, currentToken=-1, previousToken=-1).

2026-03-27 20:32:08:076 milo-netty-event-loop-8
OpenSecureChannel timeout canceled

2026-03-27 20:32:08:076 milo-netty-event-loop-8
Received OpenSecureChannelResponse.

2026-03-27 20:32:08:076 milo-netty-event-loop-8
SecureChannel id=7311, currentTokenId=1, previousTokenId=-1, lifetime=3600000ms, createdAt=DateTime{date=Fri Mar 27 19:32:08 UTC 2026, instant=2026-03-27T19:32:08.045487100Z}

2026-03-27 20:32:08:076 milo-netty-event-loop-8
0 message(s) queued before handshake completed; sending now.

2026-03-27 20:32:08:082 milo-netty-event-loop-9
OpenSecureChannel timeout scheduled for +60000ms

2026-03-27 20:32:08:083 milo-netty-event-loop-9
Sent OpenSecureChannelRequest (Issue, id=0, currentToken=-1, previousToken=-1).

2026-03-27 20:32:08:087 milo-netty-event-loop-9
[remote=/xxx] errorMessage=ErrorMessage{error=StatusCode[name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad], reason=Could not verify security on OpenSecureChannel request.}

2026-03-27 20:32:09:090 milo-netty-event-loop-10
OpenSecureChannel timeout scheduled for +60000ms

2026-03-27 20:32:09:092 milo-netty-event-loop-10
Sent OpenSecureChannelRequest (Issue, id=0, currentToken=-1, previousToken=-1).

2026-03-27 20:32:09:096 milo-netty-event-loop-10
[remote=/xxx] errorMessage=ErrorMessage{error=StatusCode[name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad], reason=Could not verify security on OpenSecureChannel request.}).

Kevin.Herron · March 27, 2026, 7:53pm

These are telling you that the remote server doesn't trust Ignition's client certificate.

Andre_Hennecke · March 27, 2026, 8:25pm

Yes, we wanted to exchange the current Ignition client certificate with a CA signed certificate which Ignition can use to connect to other servers. But based on OPC UA Security Settings | Ignition User Manual it looks like you can only regenerate the Ignition certificate but not sign it with a CA and redeploy the CA signed certificate.

Kevin.Herron · March 27, 2026, 8:33pm

It is technically possible if you are capable of generating a valid CA-signed OPC UA client certificate and private key outside of Ignition, and then importing it into the keystore file under a separate alias. There is an advanced setting on OPC UA connections that allow you to specify the alias and password that are used to retrieve the client certificate and private key from the keystore.

I recommend using KeyStore Explorer to poke around with these files, though I'd imagine it's possible to get things imported with keytool or openssl since keytstores / PFX files are a standard format.

Andre_Hennecke · March 27, 2026, 8:41pm

Ah, there is this setting “Keystore Alia”s. Thank you, I will check if we can make it with it