Certificate exchange

To secure the communication connection at transport layer via a secure endpoint, it is necessary to establish a mutual trust between client and server. By default, both the TwinCAT OPC UA Server and the TwinCAT OPC UA Client generate a machine-specific, self-signed key pair consisting of a public and a private key when they are started for the first time. However, you can also use any certificate authority or technology for integration into your IT infrastructure, e.g. Active Directory or OpenSSL. For simple administration and secure access to certificates, it makes sense to set up a Global Discovery Server.

To establish a trust relationship between an OPC UA Client and the TwinCAT OPC UA Server, you need the public key of the client certificate. The server must trust this accordingly. The server manages the trust settings for client certificates in a subdirectory of the application directory.

The following diagram illustrates the relationship between the client and server certificate when establishing a secure communication connection:

Certificate exchange 1:

The client transmits its public key with the CreateSession Request. The server then has the option of checking the trust relationship. If the server trusts the client, it transmits its own public key in its response. The client therefore also has the option of checking the trust relationship with the server.

If mutual trust is ensured, the communication connection is initiated. The server's public key is used to encrypt a request from the client to the server. The response from the server to the client is then encrypted with the client's public key. Both communication participants have the option of decrypting the received message with their private key.

Messages are signed in reverse: a message is signed with the sender's private key. Since the recipient recognizes the sender's public key, the signature can be verified.

Configure trust relationship via file system

By moving client certificates between the trusted/rejected directories, the trust settings can be adjusted accordingly. The public key of a client certificate is automatically stored in the directory for rejected certificates the first time the client attempts to connect to a secure endpoint. By subsequently moving the public key to the directory for trusted certificates, the client is trusted at the next connection attempt and can connect.

Certificate exchange 2:

AutomaticallyTrustAllClientCertificates

If this configuration option is enabled in the server, the server automatically trusts all client certificates. In this case, they will not be listed in any of the above directories.

Configure the trust relationship using the configurator

You can also make the trust settings via Configurator. The TwinCAT OPC UA Configurator includes a graphical user interface for configuring the trust settings.

Certificate exchange 3: