Skip to main content

Configuring OPC UA Services to Use an Existing Certificate

To use an existing certificate with an OPC UA service, confirm the certificate meets the following requirements:

At least 2048 bits in length
Signed with SHA256 or SHA512
Includes a Subject Alternative Name (SAN) extension with a URL (ideally set to the application name), for example: URL=opc.tcp://host/ElevateModelReader

Create a Certificate in PowerShell (if needed)

If you are generating a certificate in PowerShell, use New-SelfSignedCertificate with the -Extension option:

$builder = [System.Security.Cryptography.X509Certificates.SubjectAlternativeNameBuilder]::new()
$builder.AddDnsName("<hostname>")
$builder.AddUri("opc.tcp://hostname/ElevateModelReader")
$ext = $builder.Build()
$cert = New-SelfSignedCertificate ... -Extension $ext

Place the Certificate Files

Export the certificate to .der format and place it in: C:\ProgramData\Uptake\<service>\<instance>\pki\own\certs
Export the certificate to .pfx format and place it in: C:\ProgramData\Uptake\<service>\<instance>\pki\own\private

Note: .cer format with a .der extension will also work.

Configure Service Settings

Set the following service settings:

OPCUASettings:ApplicationCertificateSubject to the certificate subject name
OPCUASettings:ApplicationCertificatePassword to the certificate password (if any)

Create a Certificate in PowerShell (if needed)
Place the Certificate Files
Configure Service Settings