Monokot Server 1.x
  • What is Monokot Server?
  • Quickstart
  • 🐸Basics
    • Supported OS and Hardware
    • Installation
    • Licensing
    • OPC UA
      • UA TCP Endpoint
      • UA Settings
      • Client Certificates
      • Aliases
      • Access to Object Settings
      • Troubleshooting
    • Security Certififcate
    • Users & Roles
    • Administrator GUI
      • Event Log
      • Users in Monokot Server Administrator
      • Roles in Monokot Server Administrator
    • Startup Parameters
  • 🦊Tags & Devices
    • Devices
      • Diagnostics
      • Devices in the Monokot Server Administrator
    • Tags
      • Parameters
      • Change Trigger
      • Tags in Monokot Server Administrator
        • Go Online
        • Group Action
        • Import & Export
    • Modbus Connectivity
      • Parameters
      • Addressing
      • Diagnostics
    • Siemens Connectivity
      • Parameters
      • Addressing
      • Access to DBs area in S7-1200/S7-1500
    • IEC 60870-5-104 Connectivity
      • Parameters
      • Addressing
      • Time Conversion
      • Diagnostics and Commands
    • OPC UA Connectivity
      • Parameters
      • Addressing
      • Diagnostics
      • How to: Importing OPC UA items
      • How to: Pulling Security Certificate
    • InfluxDB Connectivity (Connector)
      • Parameters
      • Addressing
      • Query Result and Data Mapping
      • Diagnostics
      • How to: Configure for InfluxDB 2.x
    • SNMP Connectivity
      • Parameters
      • Addressing
      • UDP Considerations
  • 🐺Time Series & Stores
    • Stores
      • Backlog
      • Diagnostics
      • Stores in Monokot Server Administrator
    • Time Series
      • Parameters
      • Deadband
      • Sampling
      • Last Sample Repeat
      • Time Series in Monokot Server Administrator
        • Group Action
        • Import & Export
    • InfluxDB Connectivity (Store)
      • Parameters
      • Addressing
      • Data Structure
      • About Metadata
      • Diagnostics
      • How to: Configure for InfluxDB 2.x
    • PostgreSQL Connectivity
      • Parameters
      • Addressing
      • Database Design
      • Data Compression
    • REST Connectivity
      • Parameters
      • Addressing
      • Message Script
      • RestRequestMessage
      • DataContext
      • TimeSeries
  • 🐻Scripts
    • Overview
    • Expression
      • Parameters
      • Import & Export
      • Go Online
    • Programming Examples
      • How to: Calculate Arithmetic Mean
      • How to: DoNothing
      • How to: Writing to Tag
      • How to: Inverting Bits
      • How to: Execute SQL
      • How to: Run Ping
      • How to: Do Simulation
      • How to: String Formatting
      • How to: OPC UA Method
      • How to: Initialize Device Settings from File
    • API
      • Bundle
      • BundlePair
      • Context
      • DataMap
      • DataMapPair
      • DataTriggerInfo
      • Expression
      • MosCrypto
      • MosDirectories
      • MosFiles
      • MosOdbc
      • MosOdbcReader
      • MosProcess
      • MosProcessExecuteResult
      • MosText
      • MosUtils
      • ValueState
Powered by GitBook
On this page
  • How to: Adding a security certificate to the security certificates repository as "trusted" using Monokot Server Administrator
  • If you have the client security certificate of OPC UA client on your computer:
  • If you do not have the OPC UA client security certificate on your computer:
  1. Basics
  2. OPC UA

Client Certificates

PreviousUA SettingsNextAliases

Last updated 2 years ago

Security certificates are used to verify the authenticity of an OPC UA client (on the server side), authenticity of an OPC UA client (on the client side) and to encrypt. In order to establish secure connection between the OPC UA client and the OPC UA server, they must add the security certificates given to them to the repository as "trusted". There is a special repository intended for working with client security certificates in Monokot Server. It allows you to import, reject or confirm client security certificates.

When an OPC UA client trying establish secure connection to the OPC UA server, a client security certificate will automatically be placed in the repository as “rejected” if it was not added before as “trusted”.

The default UA TCP endpoint security certificate is a self-signed certificate that was created when the server was first started. Click here to learn more about the default server security certificate.

How to: Adding a security certificate to the security certificates repository as "trusted" using Monokot Server Administrator

To add an OPC UA security certificate to the repository as "trusted" in Server Explorer pane, double-click on OPC UA and go to the Client Certificates tab.

If you have the client security certificate of OPC UA client on your computer:

Click on the Import button and select one or more certificates. The certificates will appear on the client as “trusted”. Click on the Sync button to transfer the added security certificates to the server. Now the OPC UA client can connect to the OPC UA server via a secure connection.

If you do not have the OPC UA client security certificate on your computer:

Connect the OPC UA client to the OPC UA server via a secure connection. Connection is not established and the client will return the error BadCertificateUntrusted or BadSecurityChecksFailed. The OPC UA client security certificate will automatically be added to server repository as "rejected". Click on the Sync button, the “rejected” certificate will appear in the table of certificates.

Select the certificate and click on "Trust" button and then click on the Sync button to trust the security certificate on the server. Now the OPC UA client can connect to the OPC UA server via a secure connection.

The parameter Client Certificate Validation Mode specifies client security certificate validation mode and has the following values:

  • Accept Any (no validation)

  • Verify by Operating System (the most rigorous way of certificate validation; builds a trusted certificate chain using the operating system certificate store with validation of domain name, certificate expiration date, etc.)

  • Trusted Certificates List (successfully validated if the certificate is in the certificate list and is trusted)

  • Trusted CA’s List (successfully validated if it is possible to build a trust chain to any of the trusted certificates on the list).

Note that if you select the Accept Any or Verify by Operating System mode, the client security certificate will not be added to the certificate list when the client tries to establish a secure connection. If the Trusted Certificates List or Trusted CA's List mode is selected, automatic addition of a client certificate is regulated by the Automatically add a client certificate as "untrusted" parameter.

🐸