Is the OPC UA module's server able to use CA generated certificates or only server self-signed certificate via the Config -> Opcua -> Security -> Certificates tab -> Server Certificate -> Regenerate button?
I am curious whether I can ask our IT team to generate a certificate for the OPC UA service for internal authenticated use
The keystore used by the OPC-UA Server is located at:
data/opcua/server/security/certificates.pfx
You should be able to package up your own certificate/private key in a PKCS12 keystore at this same location. Keystore password is password.
I'm not sure of the specifics (@Kevin.Herron might have more insights) of the cert, but you might need to make sure to include a valid URI for Ignition in the certificate SAN, something similar to this from the generated cert:
I think that without this, you might experience a Bad_CertificateUriInvalid UA exception when trying to connect since the certificate won't match the underlying server.
If you open the keystore in something like KeyStore Explorer you can generate a CSR based on the existing self-signed certificate that might make it easier...
OPC UA certificates require a number of extensions, including the application URI with a UUID matching the one in the data/opcua/.uuid file, and if your CA doesn't understand that it's generating an OPC UA certificate it may not get it right.
This information is incredibly helpful.
I get the impression the OPC UA certificate requirements are requirements of the OPC UA protocol, not specific requirements of Ignition.
OPC UA usage is fairly new to our business and we don't have anyone with experience with the protocol, do you have any resources you could direct me to that could help our IT cert team know how to generate compliant certificates?
Some good info here:
By Q1 next year we should have support for what in the OPC UA world is called a "Global Discovery Server". (as in, you can manage the Ignition OPC UA certs using a GDS, not that we will act as one).
The intention with a GDS in the OPC UA world is that it also plays the role of managing certificates for your OPC UA client and server applications across an enterprise, as it has both push and pull based services for distributing and renewing OPC UA application certificates.
GDS products are just recently starting to come to market, though.
By Q1 next year we should have support for what in the OPC UA world is called a "Global Discovery Server".
Do you ever known if it will be available for Ignition 8.3 or for 8.1 branch too ?
Should be 8.1, along with the OPC UA 1.05 support.
Support for subscribing to Events (and Alarms/Conditions, which are just a subtype of Event) will be Ignition 8.3 because it's going to use some infrastructure we're building there.
This is no longer certain... OPC UA 1.05 and everything that depends on it may end up in 8.3 instead.
