Tech Note: 3S Runtime with OPC UA Server

---- The following note only pertains to devices with the CODESYS target from 3S ----

When using the 3S target for the Codesys Store, the runtime has an embeded OPC UA server that is independent of the WAGO OPC UA server that is shown in the Web-Based Management.

To use the embedded OPC UA server feature, you must DISABLE the WAGO OPC UA service under WBM > Feildbus > OPC UA > Configuration.

Version shown:
CODESYS Control for PFC200 SL - v


Good evening,
I am using the 3S target on a 762-5305/8000-002.
Our OPCUA client is an instance of Ignition. We have been unable to pull in the symbol list of the TP600. We have had success with e!Cockpit in the past, but the customer wishes to now use CoDeSys.
In e!Cockpit, we had success without utilizing a certificate. Can this be done in CoDeSys? Is there any documentation I can reference for the OPCUA server pertaining to the TP600 target from 3S?

Thank you,

Hi Barron,

There is a setting in Codesys for allowing anonymous connections.

1 Like

Thank you Mike! I will give this a try soon. I appreciate your feedback!


Hi Barron,

I found a interesting article in the Codesys FAQ about your Topic.

you can also browse the Page for more Information about the 3S Implementation of the OPC UA Server.

Right now from the upcoming FW24 for all Wago Devices, we will use the OPC UA Server Implementation from 3S.
The Wago OPC UA Server will be frozen with FW22.

Best Regards, Alexander


with fw24 the most important settings can be made in the WBM under Fieldbus → OPC UA. There is also a button to restart the runtime.
Best regards

1 Like

Does anyone have found out how to get rid of the BadCertificateHostNameInvalid error ?
It looks we can’t generate a certificate with IP address in CODESYS… I’ve been trying to use the hostname by configuring the DNS server but I still get the error…
Thanks :slight_smile:

I’ve found the solution.

Easy fix - Manually add a hostname entry

  • Open Notepad++ as an Administrator

  • Edit C:\Windows\System32\driver\etc\hosts

  • Add an entry at the end of the file, for instance : PFC200V3-49AEDD

  • Save the file. Now you can use directly the hostname in the OPC UA client, like opc.tcp://PFC200V3-49AEDD:4840
    As it match the hostname in the certificate, there shouldn’t be any warning or error.

State of the art solution - use a local DNS server

  1. Set up a DNS server.
    In case of a WAGO Device, you can enable it in Configuration / Port and services / DNS.
    If it’s the OPC UA Server itself, you just need to enable it. If you have several hosts on your network, then add static hosts.

  2. Add the DNS server to your computer network interface.
    The best option would be to set the DNS server directly in the DHCP server configuration. But you could also add it manually.
    Go to your TCP/IPv4 option, and add a DNS server.
    To avoid to add the “localdomain.lan” suffix, go in Advanced and then add it the suffix list.


Does anyone have successfully create his own certificates using openssl and not CODESYS ?
The aim is to add the IP in the SubjectAltName, which is not part of the CODESYS generated certificates (only DNS is provided).

Sor far here is what I’ve done :

Create a ssl.conf file :

[ req ]
default_bits = 3072
serial = 0
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = critical, CA:TRUE, pathlen:0
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage = critical, serverAuth
subjectAltName = URI:urn:PFC2004G:WAGO:WAGO%20750-8217%20PFC200%20G2%202ETH%20RS%204G:OPCUA:Server,DNS: PFC2004G

[ subject ]
#stateOrProvinceName = YOURSTATE
#localityName = YOURLOCATION
commonName = OPCUAServer@PFC2004G

Generate the RSA private key :

openssl genrsa -out key.pem 3072

Generate the certificate for the server :

openssl req -x509 -days 365 -new -key key.pem -out certificate.pem -config ssl.conf

Transform the PEM certificate in DER format

openssl x509 -outform der -in certificate.pem -out certificate.der

But then when I upload the certificate in the OPC UA Server, even after “Trusting” it in UAExpert, I get a “Bad” error, without more indications…

Any help would be appreciated :slight_smile:

Thank you all for your responses! I just got to play with Firmware 24 today and I am well pleased with the results.

1 Like

Tell me how to use the security policy in OPC? Or what are these settings for?
Firmware Revision: 04.04.03(26)


Here is some more information from the manual :slight_smile:

I saw it all. When selecting OPC with any type of encryption, I cannot establish a connection. Therefore, I have doubts that OPC works.
I tried to create OPC UA via CODESYS, an error occurred when creating a user and group for OPC UA.
Anonymous login works fine.

I’ve already tried different options. including from the codesys website.
I cannot create a user from codesys, nor can I create a group.
I was able to add a new character set and then set it to administrator. OPC UA is not available with encryption. I am attaching the settings on the web. I have a question: who actually made OPC UA with encryption?
I also created a certificate for OPC UA in the security settings. But I don’t quite understand why it is needed and how exactly it works.

Once you have create a certificate for your OPC UA server (it looks you did it), restart the runtime. Then connect your client (UA expert).
The connection will fail, this is normal.
You need to go back into the security screen, and move the certificate in “Quarantined certificates” into “Trusted certificates”.
Then it should work. More information here : OPC UA Server

The fact is that in the settings I still have two OPC servers left and both with a password

User authentication and certificates are independant.
You can use encrypted communication with or without anonymous login.
Since anonymous login is checked it shouldn’t be a problem.

Now I’m completely confused. Why then is the policy Aes256Sha256RsaPss in the wago OPC UA Configuration settings?

“Aes256_Sha256_RsaPss”, “Basic256Sha256”, “Aes128_Sha256_RsaOaep”, and “None” are security policies.
It defines if communication is encrypted or not, and the algorithm ciphers used.
In order to secure your system, you should disable anonymous login, disable allow password on plaintext and select SignAndEncrypt only.
If you don’t you will still be able to connect without encryption

1 Like

I tried different options, I got an error.
1 option: In this case, two servers are created. Why two and not one?


2 option: If I uncheck the boxes that you wrote about earlier, I get a slightly different error.

I couldn’t connect. How many OPC servers do you have when creating?