Security certificates are used to verify the authenticity of an OPC UA client (on the server side), authenticity of an OPC UA client (on the client side) and to encrypt. In order to establish secure connection between the OPC UA client and the OPC UA server, they must add the security certificates given to them to the repository as "trusted". There is a special repository intended for working with client security certificates in Monokot Server. It allows you to import, reject or confirm client security certificates.
When an OPC UA client trying establish secure connection to the OPC UA server, a client security certificate will automatically be placed in the repository as “rejected” if it was not added before as “trusted”
The default UA TCP endpoint security certificate is a self-signed certificate that was created when the server was first started. Click here to learn more about the default server security certificate.
How to: Adding a security certificate to the security certificates repository as "trusted" using Monokot Server Administrator
To add an OPC UA security certificate to the repository as "trusted" in Server Explorer pane, double-click on OPC UA and go to the Client Certificates tab.
If you have the client security certificate of OPC UA client on your computer:
Click on the Import button and select one or more certificates. The certificates will appear on the client as “trusted”. Click on the Sync button to transfer the added security certificates to the server. Now the OPC UA client can connect to the OPC UA server via a secure connection.
If you do not have the OPC UA client security certificate on your computer:
Connect the OPC UA client to the OPC UA server via a secure connection. Connection is not established and the client will return the error BadCertificateUntrusted or BadSecurityChecksFailed. The OPC UA client security certificate will automatically be added to server repository as "rejected". Click on the Sync button, the “rejected” certificate will appear in the table of certificates.
Select the certificate and click on "Trust" button and then click on the Sync button to trust the security certificate on the server. Now the OPC UA client can connect to the OPC UA server via a secure connection.
The parameter Client Certificate Validation Mode specifies client security certificate validation mode and has the following values:
- Accept Any (no validation)
- Verify by Operating System (the most rigorous way of certificate validation; builds a trusted certificate chain using the operating system certificate store with validation of domain name, certificate expiration date, etc.)
- Trusted Certificates List (successfully validated if the certificate is in the certificate list and is trusted)
- Trusted CA’s List (successfully validated if it is possible to build a trust chain to any of the trusted certificates on the list).
Note that if you select the Accept Any or Verify by Operating System mode, the client security certificate will not be added to the certificate list when the client tries to establish a secure connection. If the Trusted Certificates List or Trusted CA's List mode is selected, automatic addition of a client certificate is regulated by the Automatically add a client certificate as "untrusted" parameter.