OPC UA TLS Certificate Setup

To prevent information leakage and unintentional access via OPC UA over network, authentication and encryption should always be used.

To use OPC UA SecurityMode Sign or Sign&Encrypt, both server and client must have private keys and corresponding public certificates. These can be generated using any X.509 certificate management tool. The following examples describe how to use OpenSSL to generate these.

Generating Server and Client Keys and TLS Certificates

To generate the OPC UA server or client private key and corresponding self-signed certificate, use following OpenSSL command:

openssl req -new -x509 -addext "subjectAltName = URI:Your Application OPC-UA URI" -keyout endpoint.key -nodes
  -outform DER -days 365 -out endpoint.crt

Run this command once for the server (by replacing endpoint with your server name) and once for each client (by replacing endpoint with your client name). Also replace Your Application OPC-UA URI with the actual URI of your server or client OPC-UA application.

Setting Up TLS Certificates

With the server and client keys and certificates generated, the server and the client must be configured to use them.

• copy the server key and certificate files and also the client certificate files into the CDP application folder
• add these files to the application project in CDP Studio by right-clicking in Code mode on the application name and choosing "Add existing files..."
• in Configure mode set TLSServerCertFile and TLSServerKeyFile to server certificate and key file name.
• also add AllowedClient for all clients and set their TLSClientCertFile to corresponding client certificate filename