Important: You do not have the latest version of CIMPLICITY! You are missing out on the newest capabilities and enhanced security. For information on all the latest features, see the CIMPLICITY product page. For more information on upgrades, contact your GE Digital sales agent or e-mail GE Digital Sales Support. For the most up-to-date documentation, go here.
In order for the OPC UA Server to trust the CIMPLICITY OPC UA client, the client Instance certificate must be in a Trusted folder on the OPC UA server. The certificate can be transferred from the OPC UA Client to the server by either of two methods.
Automatic Transfer
During an attempt to connect the client to the server, the client Instance certificate will be sent to the server directly.
The server’s administrator can decide to trust it or reject it.
Export to a *.cer/*.der File
If the OPC UA Server system administrator requests a certificate do the following.
Procedure
Right-click the Instance certificate in the Windows Certificate Store>UA Applications>Certificates pane.
The Certificate Export Wizard opens.
Select the following as you go through the Wizard
Screen
Select
Private Key
No, do not export the private key.
File Format
DER encoded binary X.509 (.CER)
File name
Name assigned to the .cer file.
Notes
The name does not have to match the Instance certificate name.
However, the name should make it clear what certificate is being used.
Click the Browse button that is on the screen to open a Windows browser and select the location/enter the name to be applied.
The new file will be available in the specified location after you exit the Certificate Export Wizard.
Find the *.cer file that was just created.
(In many instances) rename the file extension from:
*.cer
to *.der.
Note: Many OPC UA Servers only recognize the .der extension.
Result: The file is ready to send to the UA Server Administrator.
UA Server Instance Certificate
Important:
The default PKI root folder location is C:\ProgramData\CIMPLICITY.., which is a hidden folder.
Set Windows Explorer to display hidden folders.
The OPC UA Client will trust the OPC UA Server after the CIMPLICITY OPC UA Client is configured to trust the Server Instance certificate directly, by storing it in the location designated for trusted certificates.
Note: If the server certificate is not self-signed, it is enough to save the issuer’s certificate in the trusted location, but also possible to store the Server certificate directly.
The certificate may come from a server that is trusted already, if:
The certificate itself or one of its issuer’s certificate is in the trusted certificates folder.
Other issuers’ certificates from the chain that are in the issuers certificates folder.
Note: This is not applicable for self-signed certificates.
When a user:
Selects a secured communication mode in Device dialog box>OPC UA DA Configuration>Connection tab>Communication Security section.
Clicks the Test Connection button in the OPC UA Client Device dialog box.
The connection attempt will fail because the:
CIMPLICITY OPC UA Client, initially, is not configured to trust the UA Server’s certificate.
Client side rejects the UA Server’s certificate.
The OPC UA Server’s certificate file (*[Thumbprint].der, where [Thumbprint] is the certificate thumbprint ) will be stored in the following folder.
The CIMPLICITY OPC UA Client will now trust the associated OPC UA server.
Note: A UA Server certificate can be issued by a certificate authority, which in turn can be issued by another higher level certificate authority.
As a result it can contain a chain of certificates.
If this is the case, the system administrator will need to determine which certificate should be placed in the trusted>certs folder and which others should be placed n the issuers>certs folder.