Managing Certificates for the OPC UA Client

Overview

The OPC UA client provided on the Modicon M262 Logic/Motion Controller supports a secured communication using TLS (Transport Layer Security)

In the context of TLS, certificates can be used to verify the identity of the communication partners. Certificates are sent during the establishing of a connection, known as the TLS handshake. Only if the result of the verification of the certificate is positive can a connection with the communication partner be established.

If the connection with the OPC UA server cannot be established, it might be that the result of the certificate verification was unsuccessful.

To solve such an issue, consider the following points:

oVerify whether the OPC UA server accepts only connections with trusted certificates. If so, verify if the certificate of the controller is added to the list of trusted certificates.

oVerify whether your application is configured to accept only connections with trusted certificates. In this case, verify if the received certificate is added to the list of trusted certificates.

The certificate of the communication partner should always be verified for authenticity. This helps to prevent unintentionally accepting a connection with an unauthorized device or service. For this, the certificate of the communication partner or the certificate of its issuer must be classified as trusted beforehand.

The main purpose of this document is to describe two things:

oHow you can declare a digital server certificate as trusted for the OPC UA client provided on the M262 controller.

oHow you can obtain the digital certificate of the controller in order to transfer it manually to the M262 server.

General Workflow

The following steps describe the OPC UA client certificate management workflow using manually exchanged certificates between client and server:

Step	Action
1	Obtain the client certificate for the Modicon M262 Logic/Motion Controller. Refer to the section below.
2	Transfer the Modicon M262 Logic/Motion Controller certificate to the server.
3	Verify that the server trusts the M262 OPC UA client certificate.
4	Obtain the server Certificate.
5	Download the server certificate to the Modicon M262 Logic/Motion Controller. Refer to the section below.
6	Declare the received server certificate as a trusted certificate. Refer to the section below.
7	Connect the M262 OPC UA client with the server.

OPC UA client certificate management workflow using automatically exchanged certificates between client and server:

Step	Action
1	Attempt to connect the M262 OPC UA client with the server. (Without the trusted server certificate this first connection is expected to be unsuccessful but allows the M262 OPC UA client to exchange certificates automatically with the server).
2	Verify that the Server trusts the M262 OPC UA client certificate.
3	Declare the received server certificate as a trusted certificate. Refer to the section below.
4	Connect the M262 OPC UA client with the server.

Declare a Digital Certificate as Trusted

For the M262 controller, each unknown or untrusted certificate, which is received with the TLS handshake during initialization of an OPC UA connection, is stored in a dedicated folder on the controller. This folder as well as the folder containing the trusted certificates can be accessed via the Web server of the controller. There you can see the rejected/untrusted certificates and the trusted ones. Further you can determine whether a certificate should be declared as trusted.

From the webpage Certificates on the Web server of the controller, you can move the received certificates (from OPC UA servers or clients) from the folder Rejected to Trusted. In the same way, certificates which are already trusted can be downgraded to rejected (untrusted).

NOTE: For managing the certificates, a secured connection Web server of the controller (via https://) is required.

For further information about the Web server, refer to Modicon M262 Logic/Motion Controller Programming Guide\...\Maintenance: Certificates Submenu.

Obtain the Controller Certificate

You may need to transfer the digital certificate of the controller manually to the OPC UA server. The M262 controller has its own self-signed certificate that is created on the first power-on of the controller. This certificate can be obtained using the Security Screen in EcoStruxure Machine Expert Logic Builder, proceeding as described in the following table.

Step	Action	Description/Comment
1	Open the EcoStruxure Machine Expert Logic Builder and create a project with the corresponding M262 controller.	-
2	In the EcoStruxure Machine Expert Logic Builder, execute the Security Screen editor from the View menu.	-
3	Switch to the Devices tab of the Security Screen.	-
4	Click the button Refresh the list of available devices and their certificate stores.	Result: The display is updated according to the information received from the connected controller.
5	Select the Own Certificates tab.	-
6	Select the certificate from the list on the right-hand side of the Security Screen editor, and click the Upload the selected certificate from the device and save it to your PC button.	See figure below.
7	In the Save as dialog, navigate to a folder on your PC where you want to save the certificate file and click the Save button.	-

Also refer to chapter Security Screen Editor in the How To Manage Certificates User Guide.

Download the Server Certificate to the Modicon M262 Logic/Motion Controller

Step	Action	Description/Comment
1	Open EcoStruxure Machine Expert.	-
2	Create a project corresponding to your Modicon M262 Logic/Motion Controller.	-
3	Configure the communication settings of the controller.	-
4	Open the Security Screen. Also refer to chapter Security Screen Editor in the How To Manage Certificates User Guide.	NOTE: The Security Screen is represented by a shield icon in the lower right corner of the EcoStruxure Machine Expert window.
5	Open the Devices tab of the Security Screen.	-
6	Click the Refresh button.	-
7	Select your M262 controller.	-
8	Select the Untrusted Certificates tab.	-
9	Click the Download Certificate button (on the left-hand side).	-
10	Select the folder on your computer where the server certificate is located and select the certificate file to download.	-
11	Click the Open button.	NOTE: To update the certificate lists present in the Security Screen, a controller reboot is required.

Declare a Received Certificate as a Trusted Certificate

Step	Action	Description/Comment
1	Log in to the Web server of your controller by launching an Internet browser and entering the address: https://<your_controller_ip_address>/	-
2	Enter your user credentials.	-
3	Select the Maintenance tab.	-
4	Select the Certificates submenu on the left-hand side.	-
5	Select the OPC UA certificate in the Rejected list (untrusted).	NOTE: Verify that you either uploaded the desired certificate (through EcoStruxure Machine Expert Security Screen) or that you have already tried to connect to this OPC UA server before.
6	Click the >> button to move the certificate to the Trusted list.	-

Declare a Received Certificate as an Untrusted Certificate

Step	Action	Description/Comment
1	Log in to the Web server of your controller by launching an Internet browser and entering the address: https://<your_controller_ip_address>/	-
2	Enter your user credentials.	-
3	Select the Maintenance tab.	-
4	Select the Certificates submenu on the left-hand side.	-
5	Select the OPC UA certificate in the Trusted list.	NOTE: Verify that you either uploaded the desired certificate (through EcoStruxure Machine Expert Security Screen) or that you have already tried to connect to this OPC UA server before.
6	Click the << button to move the certificate to the Rejected list (untrusted).	-

NOTE: Move certificates that are no longer active/needed to the Rejected list. This prevents unintentional connections to the OPC UA server.