How to setup the zenon OPC UA Process Gateway with a self-signed certificate

How to setup the zenon OPC UA Process Gateway with a self-signed certificate

This article describes how to create a self-signed certificate for using it with the zenon OPC UA Process Gateway.

Pre-requisites

  1. xca: X certificate and key management
  2. zenon Engineering Studio

Creating a self-signed certificate using xca

Start the xca tool

  1. Open the tool xca.
  2. Create a new data base

Create a private key


  1. Go to the tab Private Keys and press New Key
  2. Provide a name for the key
  3. Press Create

Export the private key


  1. Select the newly generated key and press Export
  2. Provide a file name for the key
  3. Ensure that the export format is set to PEM private
  4. Press OK
Warning
For security reasons, the file containing the private key shall only be deployed to the machine running the OPC UA Process Gateway!

Create a new certificate


  1. Go to the tab Certificates and press New Certificate
  2. Select Create a self signed certificate

Set the subject of the new certificate


  1. Go to the tab Subject
  2. Enter an internal name for the certificate
  3. Provide information about your organization (not mandatory, but best practice)
  4. Ensure to select the private key created in the previous steps

Set the extensions of the new certificate


  1. Go to the tab Extensions
  2. Set X509v3 Basic Constraints to:
    1. Type: End Entity
    2. Path length: 0
    3. Select Critical
  3. Set Key identifier:
    1. Select X509v3 Subject Key Identifier
    2. Select X509v3 Authority Key Identifier
  4. Set validity as required
  5. Set X509v3 Subject Alternative Name:
    1. URI:[ApplicationUri],DNS:[FQDN]
    2. The ApplicationUri by default is:
      urn:[FQDN:PORT]
Info
In both cases, use the fully-qualified domain name (FQDN) in capital letters.

Set the key usage of the new certificate


  1. Go to the tab Key usage
  2. Set X509v3 Key Usage:
    1. Select Critical
    2. Select Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign
  3. Set X509v3 Extended Key Usage:
    1. Select Critical
    2. Select TLS Web Server Authentication
  4. Press OK

Export the certificate


  1. Select the newly generated certificate and press Export
  2. Provide a file name for the certificate and ensure to set the file extension to .der
  3. Ensure that the export format is set to DER
  4. Press OK

Using the certificate in the zenon project

Add the files to the zenon project

  1. Copy the generated files to the PKI folder of the process gateway:
    %CD_SYSTEM%\PKI\CA\
    1. The private key will go into the subfolder private
    2. The certificate will go into the subfolder certs
    3. Also put the certificates of trusted clients into the subfolder certs
Info
In this example the file uaexpert.der represents the certificate of a trusted client.

Configure the zenon OPC UA Process Gateway

  1. Switch to your zenon project and add an OPC UA Process Gateway
  2. Setup the server parameters, variables, and archives as required
  3. Switch to the tab Endpoints and configure security settings
  4. Select the generated server certificate and private key
  5. Now, any client with a valid certificate added to the certs subfolder of the PKI is able to connect to the process gateway.
Idea
It might be required to add the newly generated server certificate to the configuration of the OPC UA clients, too.