Hi,
These are not two servers, but two different endpoints. One with hostname and one with the IP in the endpoint URI’s
Your last picture looks good … normally you only have to look in the quarantine folder from your controller in the security screen and then put the certificate from the client to the trusted folder via drag&drop.
Thank you for your reply. I’ll try it.
It worked once I moved the certificate from quarantine to trusted.
I have an error when connecting, if I press ignore a poll occurs. What is this error and how to treat it?
Hi,
the error refers to the SubjectAlternativeName extension, which shall contain the server’s hostname(s) and/or IP addresses. If you connect to the server using it’s IP address and the certificate only contains the hostname (or the other way round), this error will be thrown.
I’m trying to communicate the Prosys OPC UA Simulation Server with the Edge Controller (FW26) configured as a OPC UA Client with the DataSourcesManager
Everything seems to be normal using the ControlWin but not with the edge controller
Is there a configuration to do?
I’m using opc.tcp://ipaddress and not the devicename and my CODESYS Communication is updated as 4.5.1.0
Hi, can you perhaps give us a little more information? What exactly is not working?
I’m using the embedded OPC UA server on a Wago PLC running Codesys.
Is there a way to restart the OPC UA server without restarting the PLC?
I am moving certificates from my PC directly into the trusted folder in the linux file system, and the certificates work, but only after a PLC reboot.
You can restart only the runtime but I don’t think you can restart only yhe OPC UA server.
You can restart the runtime from the WBM, Fieldbus / OPC UA.
Thank you for the reply. I’m not using the OPC UA server configurable from the WBM, I think. There is a difference between this and an embedded OPC UA server, as I understand it.
I’ll try to attach an image to show, that the OPC UA in WBM is not active.
There is a direct connection! There will not be a checkmark and there will be an OPC UA. Put a checkmark and will be OPC UA.
Hello !
I finally managed to use certificates generated by openssl in the OPC UA Server.
Create a ssl.conf file :
[ req ]
default_bits = 3072
serial = 0
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no
[ req_ext ]
basicConstraints = critical, CA:false, pathlen:0
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage = critical, serverAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
subjectAltName = URI:urn:PFC200V3-48117C:WAGO:WAGO%20750-8210%20PFC200%20G2%204ETH:OPCUA:Server,DNS: PFC200V3-48117C.home,IP:192.168.68.210
[ subject ]
#countryName = YOURCOUNTRYCODE
#stateOrProvinceName = YOURSTATE
#localityName = YOURLOCATION
#organizationName = YOURCOMPANYNAMEHERE
commonName = OPCUAServer@PFC200V3-48117C
Adapt the IP address and DNS in SubjectAltName, and also the commonName
The subjectAltName URI MUST match the Ctrl Configuration Name in the OPC UA configuration, otherwise it will not be detected as an OPC UA server certificate.
Generate the RSA private key :
openssl genrsa -out key.pem 3072
Generate the certificate for the server :
openssl req -x509 -days 365 -new -key key.pem -out certificate.pem -config ssl.conf
Export the certificate in pkcs12 format
openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in certificate.pem
(You can fill in a password, or not)
Now in CODESYS Security Screen, go on your Devices and click on folder Own certificates.
Click on the button on the left to upload the certificate you have previously created using openssl.
It should be detected as “OPC UA Server”, otherwise there is an error in your ssl.conf file.
Then you can connect using your favorite OPC UA client as usual.
You will have to trust the server certificate at first, and to move your client certificate from Quarantined Certificates to Trusted certificates.
Just sharing my findings :
Create a ssl.conf file with the following content :
[ req ]
default_bits = 3072
serial = 0
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no
[ req_ext ]
basicConstraints = critical, CA:false, pathlen:0
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage = critical, serverAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
subjectAltName = URI:urn:PFC200V3-48117C:WAGO:WAGO%20750-8210%20PFC200%20G2%204ETH:OPCUA:Server,DNS: PFC200V3-48117C.home,IP:192.168.68.210
[ subject ]
#countryName = YOURCOUNTRYCODE
#stateOrProvinceName = YOURSTATE
#localityName = YOURLOCATION
#organizationName = YOURCOMPANYNAMEHERE
commonName = OPCUAServer@PFC200V3-48117C
The certificate’s subjectAltName must exactly match the name in “Ctrl Configuration Name” in the WBM’s OPC UA tab.
You can also add the hostname or even the IP address in this same field (see configuration below).
Spaces are replaced with “%20”.
Generate private RSA key :
openssl genrsa -out key.pem 3072
Generate server certificate :
openssl req -x509 -days 365 -new -key key.pem -out certificate.pem -config ssl.conf
In case of import via the Security screen, export the server certificate in pkcs12 format (you will need to enter a password because the pfx format contains the private key):
openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in certificate.pem
In the case of importing directly to the controller, export the certificate in der format.
openssl x509 -outform der -in certificate.pem -out certificate.der
The .der file should be named the same as the SHA1 fingerprint of the certificate. To get the SHA1:
openssl x509 -in certificate.der -outform DER | sha1sum
Rename the .der file with the resulting SHA1 fingerprint:
mv certificate.der 47fafffddc0a5851e0d477dd807fc18fb05fa306.der
Transfer the certificate to the PLC, in /home/codesys_root/.pki/own/cert/
Example command in a Linux environment: :
scp 47fafffddc0a5851e0d477dd807fc18fb05fa306.der root@192.168.68.203:/home/codesys_root/.pki/own/cert/
Check the permissions on the certificate. Certificates must have the following rights in the folder /home/codesys_root/.pki/own/cert : -rw-rw-r–
ls -l root@192.168.68.203:/home/codesys_root/.pki/own/cert/
Example results:
-rw-rw-r-- 1 root admin 942 Oct 10 14:03 3c92967425b62f6a177c9e058e3ff1a43b3a4450.der
-rw-r–r-- 1 root admin 1288 Oct 22 09:02 47fafffddc0a5851e0d477dd807fc18fb05fa306.der
to give the correct permissions:
chmod 664 47fafffddc0a5851e0d477dd807fc18fb05fa306.der
ls -l root@192.168.68.203:/home/codesys_root/.pki/own/cert/
Example results:
-rw-rw-r-- 1 root admin 942 Oct 10 14:03 3c92967425b62f6a177c9e058e3ff1a43b3a4450.der
-rw-rw-r-- 1 root admin 1288 Oct 22 09:02 47fafffddc0a5851e0d477dd807fc18fb05fa306.der
To verify that the certificates are recognized as OPC UA certificates in CODESYS, open the Security screen in CODESYS.
In the Devices tab, click on the Device. The OPC UA Server must have a certificate. If it doesn’t, it means the certificate doesn’t comply with the rules above.
We can also ensure that after connecting to UAexpert there is no new certificate in the quarantine: this would indicate that the certificate configured in UAexpert does not correspond to the one added in the Trusted section (trustworthy certificates).
I’ve not been able to generate the client (Uaexpert) certificate.
If someone find a way I’m interested
It’s been very difficult lately with OPC UA.
PFC200 (8212) FW:30
Codesys SP21 P3.
I want a regular connection but with a password. So that you can simply connect with a password in OPC UA. Can this be done?
I tried different options and see only two:
Hello,
The server can be configured with a password, via ‘port authentification’ or removing the ‘Anonymous login’ in de WBM or ‘enforce’ the authentification in Codesys device settings.
You can leave the selection to All or none + signed + signed_enc.
As far as I know the Codesys Client cannot connect with a password without encryption(and therefore the certificates). You can set the certificates expiration date to 10 years but you will need to refresh the certificates at some point.
I checked several options and I will say that I was not able to do it using a password without certificates. Although I really hoped that I would find some combination.
I don’t like that the certificate has an expiration date. At some point it will end and the customer needs to renew it.
@TomasD For OPC UA what helped me a lot is the tutorial from WAGO found here: https://www.wago.com/de/lp-danke-onlineseminar-opcua. Unfortunately it is in German so there may be some language barrier there but the content was extremely helpful in defining the process and order of events when working with certificates etc. (which is importnat). I managed to get OPC UA up and running quite quickly for me when following those steps. I attached a PPT that I created from the tutorial which shows the steps at a high level, maybe it will help you in some way.
I am also having trouble setting this up in a more professional manner. I want to give the user an easy way to load certificates onto the PFC where they dont need me to connect via the codesys programming environment to move the certificate to the trusted location. I was told by WAGO support that an unconventional way to do this would be to have the user load the certificates to a temp folder on the PFC via FTP or other method, then have a function that takes the contents of the folder (certificate and private keys) and moves them to the trusted folder on the device.
Unfortunately I haven’t been able to find the location of the trusted folder yet (anyone know where that is)? Also I was hoping that I could simply load the certificates / private keys in web based management (Security → Certificates) and it will be automatically moved to the trusted certificates folder but I haven’t tested this yet. My understanding is that this would be the equivalent of loading the certificates via FTP and places them in /etc/certificates/keys/ and /etc/certificates/. Checking the contents of that folder via SSH as root shows there are no certificates in those directories.
OPC-UA.pptx (1.8 MB)
I just tested this by loading the certificate to the controller via WBM. The certificate was placed in the quarantined folder and I had to move it via the codesys programming environment to the trusted folder, then I was able to connect via OPC UA. The certificate appeared in the directory /etc/certificates/ as mentioned in the WBM. The only step missing now is where is the trusted folder on the controller? I can then write a simple program to move the certificates and private keys to that trusted folder. Anyone know where this is?
Thanks for the presentation, it’s a lot of work. In general, I understand what is happening and how to do it in UaExpert. I found a bug. You can also try entering any password when connecting with a certificate. You can connect with any password. If there is a certificate, a login and password are generally not needed.
I myself looked for where the trusted certificates are stored in the folder, but I couldn’t find it.
