Authorizing Certificates on Kepware OPC UA Server

To add certificates on OPC UA Server, do the following:

1. Right-click on your Windows task-bar and select OPC UA Configuration
   
2. Open the Trusted Clients tab.
   
3. Click Import
   
4. Choose the certificate file (*.der,*.cer) to be trusted on the server. This file is the certificate of the client.
   The certificate for the deviceWISE OPC UA Client is found in the Staging directory at /uaclient/pki/own/uaclientcert.der.
5. When OPC UA client fails to connect to the Kepware OPC UA Server, a certificate automatically appears. Click Trust to accept the certifcate.
   
6. Ensure the server settings are valid. Do the following:
   1. Ensure all the server settings have the correct checkboxes and that the complete hostname for the server is used when clients attempt to connect.
      
   2. Check any DNS settings on the deviceWISE node to make sure the full hostname (ex: opc.tcp://N3966.tmt.telital.com:49320) is accessed. For example, attempt to connect to the server with no authentication with None as the Security Policy.
   3. Restart the Kepware OPC UA Server.
      

Connecting with deviceWISE OPC UA Client using Message Security Mode

1. Set up an OPC UA Client device with Security Policy setting to connect to the Kepware OPC UA Server.
   
   

   For the Endpoint URL use the hostname, for example:win-acme.com instead of an IP address since the certificate of the server will use the hostname in it. It is possible to use a hostname such as win-acme.com, but make sure you are able to ping this hostname.

   On Linux nodes the hostname win-acme.com is not recognized by the ping command. Add an entry to the /etc/hosts, for example: 10.120.51.21 win-acme.com.

   The Security Policy of Basic128Rsa15 seems to be the highest setting supported by Kepware v6 OPC UA Server.

2. Click Validate
   • If you get an error stating that the Certificate untrusted.
     
   • Go to the deviceWISE \staging\uaclient\pki\rejected directory.
     
     You will see the certificate from the server rejected by the OPC UA Client on device definition validate.
     
3. Move the file to the \staging\uaclient\pki\trusted\certs.
   
4. Open the deviceWISE device definition and click Validate again. It should validate successfully now.
   
   If you get the error Certificate security checks failed, then the steps given earlier to trust the client certificate has to be done.

5. Open the OPC UA Configuration Manager, select the client certificate, and click Trust. Restart the server.
   
   The device definition should now be able to Validate properly.