Certificate exchange

In order to establish a secure communication connection at the transport layer via a secure endpoint, mutual trust must be established between the client and the server. By default, both the TwinCAT OPC UA Server and the TwinCAT OPC UA Client generate a machine-specific, self-signed key pair consisting of a public and a private key when they are started for the first time, with the corresponding certificate having a validity period.

Certificate exchange 1:

Validity period of the certificate

The self-signed certificate has a default validity period of 20 years. This is a server-specific setting that can be adjusted as necessary.

Instead of using the self-signed certificate, you can also have a certificate issued by any certification authority and use it. However, we recommend using a Global Discovery Server to reduce the administrative workload.

To establish a trust relationship between an OPC UA Client and the TwinCAT OPC UA Server, you need the public key of the client certificate. The server must trust this certificate. The server manages the trust settings for client certificates in a subdirectory of the application directory.

The following diagram illustrates the relationship between the client and server certificate when establishing a secure communication connection:

Certificate exchange 2:

The client transmits its public key with the CreateSession request. The server then has the option of checking the trust relationship. If the server trusts the client, it transmits its own public key in its response. The client therefore also has the option of checking the trust relationship with the server.

If mutual trust is ensured, the communication connection is initiated. The server’s public key is used to encrypt a request from the client to the server. The response from the server to the client is then encrypted with the client’s public key. Both communication participants have the option of decrypting the received message with their private key.

Messages are signed in reverse: a message is signed with the sender’s private key. Since the recipient recognizes the sender’s public key, the signature can be verified.

Configure trust relationship via file system

By moving client certificates between the trusted/rejected directories, the trust settings can be adjusted accordingly. The public key of a client certificate is automatically stored in the directory for rejected certificates the first time the client attempts to connect to a secure endpoint. By subsequently moving the public key to the directory for trusted certificates, the client is trusted at the next connection attempt and can connect.

Certificate exchange 3:

AutomaticallyTrustAllClientCertificates

If this configuration option is enabled on the server, it automatically trusts all client certificates. In this case, they will not be listed in any of the above directories.

Configure the trust relationship using the configurator

You can also adjust the trust settings via Configurator. The TwinCAT OPC UA Configurator includes a graphical user interface for configuring the trust settings.

Certificate exchange 4: