we use the “WAGO 750-8100 PFC100 2ETH ECO” controller and we have configured the OPC UA interface via the WBM.
We use the programm “UaExpert” for testing.
Without any problems, we can see all variables declared in e!COCKPIT.
The next step is to set up the secure connection with certificates.
Before we use CA Certificate, we want to test the manual certificate handling.
The following setting is in the OPC UA Configuration in the WBM:
OPC UA Endpoints:
Security Policy - Basic128Rsa15
Security Policy - Basic256Sha256
are enabled.
OPC UA Security Settings:
All enabled except “Trust all clients”
When establishing a connection with UA Expert, I have to trust the certificate provided by Wago.
This is followed by an warning message: “BadCertificateHostNameInvalid”.
The reason for this is that the IP is not set for the alternative requestor in the WAGO certificate. This is the first problem.
Is it the case that the WAGO certificate does not comply with the OPC AU specification?
But I can ignore this message, connect and see data.
Now I have my own CA certificates, which I have uploaded in WBM under “Server certificates”:
OPC UA Server Own Certificates: My own certificate issued by the CA from the network
OPC UA Server Private Keys: My own private key issued by the CA from the network
I have deleted Wago’s own certificate: certificate.der and key.pem
If I now establish a connection with UA Expert, the Wago’s own certificates are still shown (although I have deleted the certificates).
When I restart the controller, the Wago certificates are displayed again…
Why are the CA certificates not accepted and the Wago certificates still there?
Has anyone had any experience with it?
@WagoKurt
Thank you for the helpful thread.
If I now connect via the host name, I no longer get an error message in UAExpert (as the host name is in the certificate).
As described above, I would now like to use my own CA certificate:
Now I have my own CA certificates, which I have uploaded in WBM under “Server certificates”:
OPC UA Server Own Certificates: My own certificate issued by the CA from the network
OPC UA Server Private Keys: My own private key issued by the CA from the network
I have deleted Wago’s own certificate: certificate.der and key.pem
If I now establish a connection with UA Expert, the Wago’s own certificates are still shown (although I have deleted the certificates).
When I restart the controller, the Wago certificates are displayed again…
Why are the CA certificates not accepted and the Wago certificates still there?
Has anyone had any experience with it?
@WagoPatrick I have seen your helpful posts on OPC UA. Do you have any idea why no CA certificates are displayed in UAExpert?
Hello @WaEm2303
unfortunately I won’t be able to test this until next week as I’m not in the office at the moment.
The only thing I can think of off the top of my head is that all certificates in the chain must be known to the server and the crl must also be known to the server. Maybe you should have a look in the Pki. For the WAGO OPC UA server, I think this should be somewhere under /etc
I have found the PKI folder with the certificates on the PLC:
If I delete these certificates and replace them with my self-created certificates, the certificates are automatically recreated as soon as I restart the controller.
Have you been able to test it in the office?
BTW: Does the Wago support the automatic renewal of certificates with a GDS server/client (push/pull)?
I had actually also assumed that you had tried to use a CA-signed certificate via the CSR generated here (UaExpert → GDS Push View).
You might have to take a look at the certificate to see if everything matches.
The most important thing for OPC UA is the ApplicationUri as URL in the SubjectAlternativeName.
Everything should already be entered in the CSR.
