OPC UA Security Settings
On the OPC UA Security Settings page you can manage OPC UA certificates for the client and server. Trusted certificates can be imported and quarantined certificates can be marked as trusted.
The Security Settings page is located under the Gateway's Connections section, under OPC > Security Settings:
Client and Server Tabs​
Both the Client and Server tabs allow you to view OPC UA security certificates. The Client tab contains certificates the Gateway uses when acting as a OPC UA client, while the Server tab contains certificates the Gateway uses when acting as an OPC UA server. Both tabs have the same options in regards to managing certificates.
Upload a Trusted Certificate​
The steps for uploading trusted certificates are the same whether you're on the Client tab or the Server tab. To upload a trusted Certificate, do the following.
- On the Gateway Webpage Connections tab, select OPC > Security Settings.
- Click the Client tab or Server tab, depending on the what certificate you're uploading.
- Click Upload Trusted Certificate.
- Navigate to the location of the certificate on your system and click Open. Alternatively, you can drag the certificate file onto the page.
- If the upload was successful, you'll see the name of the certificate and a success message. The certificate will appear in the Trusted Certificates list.
Download a Trusted Certificate​
To download a trusted certificate, do the following.
- Next to the certificate name, click the three dot menu and select Download.
- The certificate is downloaded to your system by your web browser.
Delete a Trusted Certificate​
To delete a trusted certificate, do the following.
- Next to the certificate name, click the three dot menu and select Delete.
- The certificate is deleted.
To view more information about a trusted certificate, use the Expand 
icon.
OPC Security Settings Page Details​
Trusted Certificates​
| Column Name | Description |
|---|---|
| Common Name | Name of the certificate. |
| SHA-1 Fingerprint | The SHA-1 (Secure Hash Algorithm 1) fingerprint is the unique identifier of the certificate. |
| Expiration | Date the certificate will expire. |
Additional Information​
| Column Name | Description |
|---|---|
| CN | Common Name |
| O | Organization, usually the legal incorporated name of a company. |
| OU | Organizational Unit |
| L | Locality (Town or City) |
| ST | State |
| C | Country, the two-letter ISO code for the country where the organization is located. |
Quarantined Certificates​
If you import a certificate that is not trusted, it will appear under the Quarantined Certificates list. From here you can expand the certificate details, Trust the certificate, or Delete it.
Certificates Tab​
The Certificates tab shows the trusted certificates for the OPC UA client and server on the Gateway. From this tab the certificates can be examined by expanding the dropdown. The certificates can be downloaded by clicking the three dot menu and selecting Download. This will perform the same action as downloading a certificate from the Client tab as described above.
The Certificates tab menu options also include a Regenerate option. Selecting this will create a new certificate.
Regenerate Current Certificates​
All certificates have a definitive live span. For example, the default life span for an Ignition-generated OPC UA certificate is three years. Any OPC UA connection, even the default loopback connection to Ignition's own server, will stop working if the certificate expires or is invalid.
Regenerating the certificates creates a new certificate with an expiration date set for three years later. If your private key is somehow compromised, regenerating a Client or Server certificate also ensures that the private key will no longer work with the Ignition Gateway.
Newly regenerated certificates are automatically trusted by the Gateway issuing them.
Note that regenerating a server certificate will require that the OPC UA module is restarted.
Regenerating a client certificate will allow you to specify the duration of the new certificate. In addition, regenerating a server certificate will allow you to specify the duration as well as the DNS names and IP addresses to be included in the Subject Alternate Name (SAN) fields.
