Tech Note: 3S Runtime with OPC UA Server

---- The following note only pertains to devices with the CODESYS target from 3S ----

When using the 3S target for the Codesys Store, the runtime has an embeded OPC UA server that is independent of the WAGO OPC UA server that is shown in the Web-Based Management.

To use the embedded OPC UA server feature, you must DISABLE the WAGO OPC UA service under WBM > Feildbus > OPC UA > Configuration.

Version shown:
CODESYS Control for PFC200 SL - v


Good evening,
I am using the 3S target on a 762-5305/8000-002.
Our OPCUA client is an instance of Ignition. We have been unable to pull in the symbol list of the TP600. We have had success with e!Cockpit in the past, but the customer wishes to now use CoDeSys.
In e!Cockpit, we had success without utilizing a certificate. Can this be done in CoDeSys? Is there any documentation I can reference for the OPCUA server pertaining to the TP600 target from 3S?

Thank you,

Hi Barron,

There is a setting in Codesys for allowing anonymous connections.

Thank you Mike! I will give this a try soon. I appreciate your feedback!


Hi Barron,

I found a interesting article in the Codesys FAQ about your Topic.

you can also browse the Page for more Information about the 3S Implementation of the OPC UA Server.

Right now from the upcoming FW24 for all Wago Devices, we will use the OPC UA Server Implementation from 3S.
The Wago OPC UA Server will be frozen with FW22.

Best Regards, Alexander


with fw24 the most important settings can be made in the WBM under Fieldbus → OPC UA. There is also a button to restart the runtime.
Best regards

1 Like

Does anyone have found out how to get rid of the BadCertificateHostNameInvalid error ?
It looks we can’t generate a certificate with IP address in CODESYS… I’ve been trying to use the hostname by configuring the DNS server but I still get the error…
Thanks :slight_smile:

I’ve found the solution.

Easy fix - Manually add a hostname entry

  • Open Notepad++ as an Administrator

  • Edit C:\Windows\System32\driver\etc\hosts

  • Add an entry at the end of the file, for instance : PFC200V3-49AEDD

  • Save the file. Now you can use directly the hostname in the OPC UA client, like opc.tcp://PFC200V3-49AEDD:4840
    As it match the hostname in the certificate, there shouldn’t be any warning or error.

State of the art solution - use a local DNS server

  1. Set up a DNS server.
    In case of a WAGO Device, you can enable it in Configuration / Port and services / DNS.
    If it’s the OPC UA Server itself, you just need to enable it. If you have several hosts on your network, then add static hosts.

  2. Add the DNS server to your computer network interface.
    The best option would be to set the DNS server directly in the DHCP server configuration. But you could also add it manually.
    Go to your TCP/IPv4 option, and add a DNS server.
    To avoid to add the “localdomain.lan” suffix, go in Advanced and then add it the suffix list.


Does anyone have successfully create his own certificates using openssl and not CODESYS ?
The aim is to add the IP in the SubjectAltName, which is not part of the CODESYS generated certificates (only DNS is provided).

Sor far here is what I’ve done :

Create a ssl.conf file :

[ req ]
default_bits = 3072
serial = 0
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage = critical, serverAuth
subjectAltName = URI:urn:PFC2004G:WAGO:WAGO%20750-8217%20PFC200%20G2%202ETH%20RS%204G:OPCUA:Server,DNS: PFC2004G

[ subject ]
#stateOrProvinceName = YOURSTATE
#localityName = YOURLOCATION
commonName = OPCUAServer@PFC2004G

Generate the RSA private key :

openssl genrsa -out key.pem 3072

Generate the certificate for the server :

openssl req -x509 -days 365 -new -key key.pem -out certificate.pem -config ssl.conf

Transform the PEM certificate in DER format

openssl x509 -outform der -in certificate.pem -out certificate.der

But then when I upload the certificate in the OPC UA Server, even after “Trusting” it in UAExpert, I get a “Bad” error, without more indications…

Any help would be appreciated :slight_smile:

Thank you all for your responses! I just got to play with Firmware 24 today and I am well pleased with the results.

1 Like