How to setup the zenon OPC UA Process Gateway with a CA-signed certificate

How to setup the zenon OPC UA Process Gateway with a CA-signed certificate

This article describes how to create a certificate signed by a Certificate Authority (CA) for using it with the zenon OPC UA Process Gateway.

Pre-requisites

  1. xca: X certificate and key management
  2. xca database containing the certificate and private key of the CA (refer to How to setup an own Root Certificate Authority (CA))
  3. zenon Engineering Studio

Creating a CA-signed certificate using xca

Start the xca tool


  1. Open the tool xca.
  2. Open the database containing the Certificate Authority (CA)

Create a private key


  1. Go to the tab Private Keys and press New Key
  2. Provide a name for the key
  3. Press Create

Export the private key


  1. Select the newly generated key and press Export
  2. Provide a file name for the key
  3. Ensure that the export format is set to PEM private
  4. Press OK
Warning
For security reasons, the file containing the private key shall only be deployed to the machine running the OPC UA Process Gateway!

Create a new certificate


  1. Go to the tab Certificates and press New Certificate
  2. Select Use this Certificate for signing and choose your CA

Set the subject of the new certificate


  1. Go to the tab Subject
  2. Enter an internal name for the certificate
  3. Provide information about your organization (not mandatory, but best practice)
  4. Ensure to select the private key created in the previous steps

Set the extensions of the new certificate


  1. Go to the tab Extensions
  2. Set X509v3 Basic Constraints to:
    1. Type: End Entity
    2. Path length: 0
    3. Select Critical
  3. Set Key identifier:
    1. Select X509v3 Subject Key Identifier
    2. Select X509v3 Authority Key Identifier
  4. Set validity as required
  5. Set X509v3 Subject Alternative Name:
    1. URI:[ApplicationUri],DNS:[FQDN]
    2. The ApplicationUri by default is:
      urn:[FQDN:PORT]
Info
In both cases, use the fully-qualified domain name (FQDN) in capital letters.

Set the key usage of the new certificate


  1. Go to the tab Key usage
  2. Set X509v3 Key Usage:
    1. Select Critical
    2. Select Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
  3. Set X509v3 Extended Key Usage:
    1. Select Critical
    2. Select TLS Web Server Authentication
  4. Press OK

Export the certificate


  1. Select the newly generated certificate and press Export
  2. Provide a file name for the certificate and ensure to set the file extension to .der
  3. Ensure that the export format is set to DER
  4. Press OK

Using the certificate in the zenon project

Add the files to the zenon project

  1. Copy the generated files to the PKI folder of the process gateway:
    %CD_SYSTEM%\PKI\CA\
    1. The private key will go into the subfolder private

    2. The certificates of the server and the CA will go into the subfolder certs

    3. The CRL (Certificate Revocation List) of the CA will go into the subfolder crl

Configure the zenon OPC UA Process Gateway

  1. Switch to your zenon project and add an OPC UA Process Gateway
  2. Setup the server parameters, variables, and archives as required
  3. Switch to the tab Endpoints and configure security settings
  4. Select the generated server certificate and private key
  5. Now, any client with a valid certificate signed by the same CA is able to connect to the process gateway.
Idea
It might be required to add the newly generated server certificate, the CA certificate, and the CRL of the CA to the configuration of the OPC UA clients, too.