OPCUA client/server communications to 3rd party systems in DeltaV simulate V14.3.1 how to import 3rd party trusted certificates

I want to read values into DeltaV via OPCUA. This means DeltAV must act as an OPCUA client to a foriegn OPCUA server. I get the following warning in DV14.3.1 simulate:

(PDT1 does not have a server application certificate configured)

I am wondering why i can export an OPCUA server certificate from DeltaV , but i cannot import a certificate from a trusted 3rd party? Is there another way to do this / do i have to do it via microsoft certificate manager? i cant see an 'import' option, only 'export'.

Where do we store these in deltav? From the manual we have:

I have written an OPCUA server. I want Emerson OPCUA client to read from it. Do i have to import its certificate into one of the above stores, and if so, which one?

Likewise , for a 3rd party OPCUA client  i can easily export Emerson OPCUA server certificate and import into a 3rd party OPCUA client. However do i have to import a client OPCUA certificate into the 'Emerson trusted UA users' group?

Also, is it ok to use self-signed certificates in these cases?

Thanks in advance folks!


OPCUA cert background from From unified automation website: 

To identify itself to communication partners, each installed OPC UA application or devices needs an Application Instance Certificate and an associated public/private key pair. The public key is distributed with the certificate. The private key has to remain secret and is used to sign and/or encrypt messages. A communication partner can use the public key to verify the trust relation, check the signature of messages, and encrypt messages. The Application Instance Certificate, including the public and private key, can either be generated by the application or provided by an administrator.

Certificates issued by the application are called self-signed certificates. They are typically generated during installation of the application or at first start. To establish a trust relation between an OPC UA client and server, the self-signed certificates of the communication partner are installed to the trust list. The client certificate is installed to the trust list of the server and the server certificate to the trust list of the client. If the certificate of an application is removed from the trust list, a communication establishment is no longer possible.

Automation IT MES Engineer.

6 Replies

  • You need to use DeltaV Explorer to import certificate from the server. See below for screen capture.

  • Here's what I know about importing and exporting certificates.  You can either use a self signed certificate or one issued by a Certificate Authority (CA-signed)  in the OPC UA server or Client properties you have the option to Generate or Import the Certification for the OPCUA node.  

    You would import the CA-signed certificate or Generate a self signed certificate.  Notice the max number of days for self signed in 100.  Good to get things started, but you don't want to be doing this every 3 months.  Looks like a CA certificate is the way to go.  

    Once you Generate this certificate you need to export the public key portion of it so you can import this in the other end.  The example above was for an OPC UA client, so I'll import this in the OPC UA Server.  To export the certificate, you right click on the node and select Export Certificate.

    You do the same thing on the Server side.  The exported certificate will have a .cer extension. 

    Now that you have certificates applied to your OPC UA client and Server, and you have exported the .CER public portion (or it was provided by CA-Signed certificate), you use the Clients and Issuers tab to import this public portion.

    When you import here, you can browse to the location of the Exported Certificates.  Here I'm applying the OPCUA_Client certificate to the OPC UA Server.  I do the same on the Client using the Server certficiate.

    From this dialog, you can remove unwanted certificates, Untrust and later Trust again a certificate.  

    If you are using the EIOC OPC UA client, and have redundant networks, you apply the certificate to both networks.

    As for the Certificate Store, I don't know exactly what that does, or if it is for CA-signed certificates.  It doesn't seem to do anything with generated certificates.  I'm still learning on that front.

    Andre Dicaire

  • In reply to Lun.Raznik:

    The dialog posted by LUN is the dialog for an EIOC OPC UA Client. If you have redundant network, you would import the certificate for the secondary network. You get a warning the certificate is missing, but if the server is not connected on the secondary, that does not matter. You can load the certificate on the secondary to address that warning.

    Andre Dicaire

  • In reply to Andre Dicaire:

    My memory on this is pretty hazy but the behavior of OPC UA client on workstation and EIOC behaves differently.

    On the workstation, if the communication is not using certificate you can forgo importing server certificate.

    On the EIOC, you must import the certificate otherwise it will not work.
  • In reply to Andre Dicaire:

    Thanks a million Andre!

    Automation IT MES Engineer.

  • In reply to Lun.Raznik:

    Thanks Lun!

    Automation IT MES Engineer.