1. Help
2. Advanced features
3. OPC UA
4. Use OPC UA certificates and keys

Use OPC UA certificates and keys

Introduction

To communicate securely with each other, OPC UA applications must have appropriate public certificates and corresponding private keys (for more information refer to the OPC UA specifications).

If the project has both OPC UA Server and OPC UA Client objects, the same certificate can be used in both.

The trusted certificates of other OPC UA applications can be set at both design time and runtime. They are set at design time when the certificates are available and/or when the necessary functionality to do so at runtime is not available (see Set the trusted certificates at runtime).

Note

the set up at design time is to be repeated when another previously known application changes its certificate. In this case it is obviously necessary to republish the Q Application.

Generate OPC UA certificates in Q Studio

1. Expand the menu , then click Create certificate.

2. Fill in the fields and choose where to save the certificate, then click Create: Q Studio generates a public certificate with a .der extension and a corresponding private key in a file with a .pem extension.

   Hint

   save the certificate in a personal folder, outside of the project for backup reasons.

   Note

   the values of RSA key size and Signature algorithm are all compatible with the OPC UA security policies that can be set in the OPC UA Server and OPC UA Client objects. Higher values in these fields lead to a greater use of resources for the encryption and decryption of messages between server and client.

Set up server and client public certificates and private keys

1. In an OPC UA Server object in the Server certificate property, or in an OPC UA Client object in the Client certificate property, click Browse: the project resources window opens from which to choose the certificate.

2. Select the certificate:

   If the certificate…	Then…
   is already in the project resources	select it and click Select.
   is not in the project resources	Click and select the file to import, then confirm: the file is imported in the project in the predefined folder for the server/client certificate (see Location of certificates and keys in UNIQO projects and Q Applications). Click Select.

3. In an OPC UA Server object in the Server private key property, or in an OPC UA Client object in the Client private key property, click Browse: the project resources window opens from which to choose the private key.

4. Select the private key:

   If the private key…	Then…
   is already in the project resources	select it and click Select.
   is not in the project resources	Click and select the file to import, then confirm: the file is imported in the project in the predefined folder for the server/client private key (see Location of certificates and keys in UNIQO projects and Q Applications). Click Select.

Set up the trusted certificates at design time

Certificates already available

To set a certificate available at design time as trusted, import it into the project as follows:

1. Click : the project resources window opens.

2. If the certificate is from a server, go to PKI > Trusted > Server, if the certificate is from a client go to PKI > Trusted > Client.

3. Click and select the certificate to import, then confirm: the file is imported in the project and is considered trusted at runtime.

OPC UA server certificates from which nodes are imported

To set as trusted the server certificate rejected when importing nodes with an OPC UA Client object, and therefore to be able to import these nodes at design time, move the certificate from the ApplicationFiles/PKI/Rejected/Server project folder to the ApplicationFiles/PKI/Trusted/Server project folder.

Set the trusted certificates at runtime

To set as trusted a server or client certificate rejected at runtime, if the certificate is from a server, move the certificate from the QApplication/ApplicationFiles/PKI/Rejected/Server folder to the QApplication/ApplicationFiles/PKI/Trusted/Server folder, if the certificate is from a client, move the certificate from the QApplication/ApplicationFiles/PKI/Rejected/Client folder to the QApplication/ApplicationFiles/PKI/Trusted/Client folder: after a few seconds the certificate is considered trusted without having to restart the Q Application(s).

Hint

the location of the QApplication folder is indicated in the Q Studio log panel in the error message indicating that the certificate has been refused and copied.

The certificate can be moved in three ways:

• (Only on Windows target) Manually with Windows Explorer.

• Remotely, with the ASEM Ubiquity software.

• With the same Q Application.

See also

Related concepts

OPC UA

OPC UA communications security

Related procedures

How to use an OPC UA Client object

Use the OPC UA Server object

Application examples

Import users from another project

Import translations from another project

Import the user interface from another project and monitor some variables