How to setup the zenon OPC UA Driver with a CA-signed certificate

How to setup the zenon OPC UA Driver with a CA-signed certificate

This article describes how to create a certificate signed by a Certificate Authority (CA) for using it with the zenon OPC UA Driver.

Pre-requisites

  1. xca: X certificate and key management
  2. xca database containing the certificate and private key of the CA (refer to How to setup an own Root Certificate Authority (CA))
  3. zenon Engineering Studio

Creating a CA-signed certificate using xca

Start the xca tool


  1. Open the tool xca.
  2. Open the database containing the Certificate Authority (CA)

Create a private key


  1. Go to the tab Private Keys and press New Key
  2. Provide a name for the key
  3. Press Create

Export the private key


  1. Select the newly generated key and press Export
  2. Provide a file name for the key
  3. Ensure that the export format is set to PEM private
  4. Press OK
Warning
For security reasons, the file containing the private key shall only be deployed to the machine running the OPC UA Driver!

Create a new certificate


  1. Go to the tab Certificates and press New Certificate
  2. Select Use this Certificate for signing and choose your CA

Set the subject of the new certificate


  1. Go to the tab Subject
  2. Enter an internal name for the certificate
  3. Provide information about your organization (not mandatory, but best practice)
  4. Ensure to select the private key created in the previous steps

Set the extensions of the new certificate


  1. Go to the tab Extensions
  2. Set X509v3 Basic Constraints to:
    1. Type: End Entity
    2. Path length: 0
    3. Select Critical
  3. Set Key identifier:
    1. Select X509v3 Subject Key Identifier
    2. Select X509v3 Authority Key Identifier
  4. Set validity as required
  5. Set X509v3 Subject Alternative Name:
    1. URI:[ApplicationUri],DNS:[hostname]
    2. The ApplicationUri by default is:
      urn:[hostname]
Info
The hostname does not contain the domain part (no FQDN!)

Set the key usage of the new certificate


  1. Go to the tab Key usage
  2. Set X509v3 Key Usage:
    1. Select Critical
    2. Select Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
  3. Set X509v3 Extended Key Usage:
    1. Select Critical
    2. Select TLS Web Client Authentication
  4. Press OK

Export the certificate


  1. Select the newly generated certificate and press Export
  2. Provide a file name for the certificate and ensure to set the file extension to .der
  3. Ensure that the export format is set to DER
  4. Press OK

Using the certificate in the zenon project

Add the files to the zenon project

  1. Switch to your zenon project and add an OPC UA Client driver
  2. Configure the connection to the OPC UA server (without setting the certificates)
  3. Go to the project folder Files->Drivers->PKI->CA

  4. Add the exported private key (*.pem) to the subfolder private
  5. Add the exported client certificate (*.der), the certificate of the CA, and the server certificate to the subfolder certs
  6. Add the certificate revocation list (CRL) of the CA to the subfolder crl
     
Info
In this example the file uaservercpp.der represents the server certificate

Configure the zenon OPC UA Driver

  1. Finally, go back to the driver instance and open the Certificates tab in the server configuration
  2. Select the recently imported certificates

  3. Now, you can read the PLC variables in the background and import variables
Idea
It might be required to add the newly generated client certificate, the CA certificate, and the CRL of the CA to the configuration of the OPC UA server, too.