OPC-UA Certificates

  • Updated on Jan 24, 2025
  • Published on Sep 19, 2024
  • 1 minute(s) read

OPC-UA was built with a focus on security using x.509 certificates. The x.509 certificate used for OPC-UA authentication in Koios is a self-signed certificate with a ten (10) year expiration date that is generated during installation. To view, update, or download the certificate, navigate to Protocols > OPC-UA > Certificates. From here, select the ellipses to view the possible actions.

Update Certificate

This regenerates and saves the x.509 certificate with a new expiration date.

Download Certificate

This will download the certificate as a .der file.

Download Private Key

This will download the private key as a .pem file.

Working with OPC-UA certificates and security

There are multiple ways of dealing with self-signed certificates. Currently, Koios is designed to work with the accepted OPC-UA Automatic Certificate Management service provided within most OPC-UA Server providers. In order for the certificate to be automatically discovered by the server, you must:

  1. Create a device using OPC-UA.

  2. Test the connection. The server should receive the certificate upon testing.

  3. The server should now have the certificate listed as rejected.

  4. Using the server’s interface, you will need to trust the certificate. Below is an example of trusting a certificate in KepServerEX 6.

Certificate Expirations

When a certificate expires, secure communication is still possible, and will continue to process messages and request from the client unless the OPC-UA server is setup to reject expired certificates.  A red 'X' will be displayed, and an error message will be registered at the Koios to warn an engineering user that the certificate is expired and should be renewed.