cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Learn all about the Community Ranking System, a fun gamification element of the PTC Community. X

Requirement: Trust certificate from few clients automatically

AK_00908976996
10-Marble

Requirement: Trust certificate from few clients automatically

Goal: I have multiple OPC UA Clients who will connect to the OPC UA Server (Kepserver). Trust every client is getting difficult. I cannot make the Security Policy to "None".

I have created a common CA. Created a server pfx file and imported in Kepserver in OPC UA Configuration Manager>Instance Certificates. 
Imported the CA.dar file in Trusted Client List.
I have created certificates and private keys for Uaexpert and signed them with the same CA.
Created CRL and pasted in C:\ProgramData\Kepware\KEPServerEX\V6\UA\Server\crl

Still I am facing problem while connecting.

AK_10962908_0-1724913658348.png

Is it possible to do this? Is there any other process to achieve the goal? 
Please guide me.

ACCEPTED SOLUTION

Accepted Solutions

I found one way-around to it.
I have created a CA and Imported it into the Trusted Client. 
I have created Certificate and Private key with same CA certificate, which I imported into Trust Client.
Used the .der and .pem files in the OPC UA Client. 
Client (UaExpert) got connected with the server with Basic256Sha256 without trusting the client certificate. 

I generated another set of certificate and key for another client ( SiOME) with the help of same CA. 
SiOME also got connected. In this case also Server doesnot required to Trust the Client certificate. 
 

View solution in original post

6 REPLIES 6
MKhatri
14-Alexandrite
(To:AK_00908976996)

Hello,


I hope this email finds you well.

Thank you for reaching out regarding the addition of a certificate. Kindly refer to the article provided in the link below for detailed instructions on how to proceed:

https://www.ptc.com/en/support/article/CS324697

 

Should you require any further assistance or clarification, please do not hesitate to contact me.

Thank you for your attention to this matter.


Regards,

Mohit

Can KEPSERVEREX run a windows service in the interactive mode or KEPSERVER can use ODBC client generate tags in windows service as runtime?

PLS help me thanks a lot.

MKhatri
14-Alexandrite
(To:RZ_11720924)

Hello,

Yes sir, Kepserverex can be run into Interactive mode.
Please find below article for explanation about interactive mode.


https://www.ptc.com/en/support/article/CS313312
https://www.ptc.com/en/support/article/CS315672
https://www.ptc.com/en/support/article/CS407759

Should you require any further assistance or clarification, please do not hesitate to contact me.

Thank you for your attention to this matter.

 

Regards,

Mohit

 

I am very new to security policies and has limited knowledge around this.

In my current requirement, I have 1 OPC UA Server ( Kepserver) and Multiple clients. 
System Administrator does not want to trust each client each time. 
He needs some solution where, all clients should automatically gets connected without trusting. 

What I understand after researching 
1. We can achieve the same if The Server Certificate and all client certificates are signed by a common CA. 
2. If CA is already trusted on the OPC UA Server. 
3. By Using some GDS Push Pull Server. ( PKI )
I am not able to find anything on the web how to perform with specifically with Kepserver. 

I need to do some PoC to test this functionality (With Kepserver and UA Expert and some other OPCUA client).  Need your support on this.



I found one way-around to it.
I have created a CA and Imported it into the Trusted Client. 
I have created Certificate and Private key with same CA certificate, which I imported into Trust Client.
Used the .der and .pem files in the OPC UA Client. 
Client (UaExpert) got connected with the server with Basic256Sha256 without trusting the client certificate. 

I generated another set of certificate and key for another client ( SiOME) with the help of same CA. 
SiOME also got connected. In this case also Server doesnot required to Trust the Client certificate. 
 

MKhatri
14-Alexandrite
(To:AK_00908976996)

Hello,

I am glad you were able to achieve the needed output.  

 

Regards,

Mohit

Announcements


Top Tags