03/18/2019
Hi,
We have an Microsoft PKI system for certificates for 3 part applications on the network. Can we use this PKI for OPC UA ?
OPC UA or OPC DA in general is not my field, but trying to assist… so does anyone have any good documentation when it comes to PKI and OPC UA, hopefully with a MS PKI. Or should I only go for OPC UA GDS as I understand this is like “OPC UA” its own PKI system, or am I misunderstanding ?
Thanks for any reply.
/R
Andreas
05/30/2017
UA certificates require PKI infrastructure to manage.
You can use a GDS that is integrated with Microsoft PKI:
https://azure.microsoft.com/en…..-everyone/
05/30/2017
The GDS is a front end for whatever certificate management system you need to use. It provides a standard API which applications can be designed to use so it is no longer necessary to manually configure certificates or use mechanisms that only work with 1 vendor’s certificate management system.
If a GDS is not available then the fall back is manual configuration which is feasible for <10 computers. For any large system you need a GDS or security configuration will be a nightmare.
GE offers a standalone GDS. Other vendors will have products on the market soon plus you have the open source .NET GDS which you could update. I also believe the Azure GDS has a local version that would work for you. You need to check with MS.
03/18/2019
Hi,
Still not sure how everything is connected and the recommendations, and the possibility’s… sorry for lack of knowledge, but I am trying 🙂
So…..I could have the following scenarios
1. I have an environment with a Microsoft PKI system and I have several OPC UA servers, GDS is not available (As I understand it this is a own application/service) then I must use manual configuration. Each OPC UA server must send a request to the CA and I must sign a certificate.
2. I have an environment with a Microsoft PKI system and I have several OPC UA servers, GDS is available so, OPC UA servers will automatically register with this GDS software and automatically get certificates from the Microsoft PKI some how..
3. I have an environment with a GDS PKI system and I have several OPC UA servers, GDS is available so, OPC UA servers will automatically register with this GDS software and automatically get certificates from the GDS PKI system
Also regarding when it comes to PLC systems that communicate trough OPC UA, these do not have a Windows Operating system, how will these interact with a PKI system. Do they always have a Web Interface were i can make a certificate request from ?
Thanks for good support, and education me 🙂
/R
Andreas
05/30/2017
The registration process with the GDS requires administrator action, however, administrators are using a UI instead of copying files around. The UI can also remotely update Servers so you do not need to be logged onto the Server machine.
Unfortunately, the not every server supports the GDS API yet so some servers may still need to be manually configured, however, if users demand it the vendor should provide support for the GDS API in the future.
1 Guest(s)