Certificate exchange

To secure the communication connection at transport layer via a secure endpoint, it is necessary to establish a mutual trust between client and server. By default, the TwinCAT OPC UA Gateway generates a machine-specific, self-signed key pair consisting of a public and a private key when it is started for the first time. However, you can also use any certificate authority or technology for integration into your IT infrastructure, e.g. Active Directory or OpenSSL. For easy administration and secure access to certificates, it makes sense to set up a Global Discovery Server.

To establish a trust relationship between any OPC UA client and the TwinCAT OPC UA Gateway, you need the public key of the client certificate. The gateway must trust this server accordingly. The gateway manages the trust settings for client certificates in a subdirectory of the application directory.

The following diagram illustrates the relationship between the client and server certificate when establishing a secure communication connection using the example of TwinCAT OPC UA Client and TwinCAT OPC UA Server. In the case of the latter, however, this can also be transferred 1:1 to the gateway.

Certificate exchange 1:

The client transmits its public key with the CreateSession Request. The server then has the option of checking the trust relationship. If the server trusts the client, it transmits its own public key in its response. The client therefore also has the option of checking the trust relationship with the server.

If mutual trust is ensured, the communication connection is initiated. The server's public key is then used to encrypt a request from the client to the server. The response from the server to the client is then encrypted with the client's public key. Both communication participants then have the option of decrypting the received message with their private key.

Messages are signed in reverse: a message is signed with the sender's private key. Since the recipient recognizes the sender's public key, the signature can be verified.

Configure trust relationship via file system

By moving client certificates between the trusted/rejected directories, the trust settings can be adjusted accordingly. The public key of a client certificate is automatically stored in the directory for rejected certificates the first time the client attempts to connect to a secure endpoint. By subsequently moving the public key to the directory for trusted certificates, the client is trusted at the next connection attempt and can connect.

Certificate exchange 2:

Accept all certificates

If this option is enabled in the configuration of the endpoints of the gateway, the gateway automatically trusts all client certificates. In this case, they will not be listed in any of the above directories.

Configure the trust relationship using the configurator

You can also make the trust settings via Configurator. The configurator includes a graphical user interface for configuring the trust settings. You can trust or reject a certificate via the context menu.

Certificate exchange 3: