OPC UA certification Windows PKI|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
OPC UA certification Windows PKI
Avatar
Ole Weel
Member
Members
Forum Posts: 4
Member Since:
03/18/2019
sp_UserOfflineSmall Offline
1
02/17/2020 - 11:30
sp_Permalink sp_Print

Hi,

 

We have an Microsoft PKI system for certificates for 3 part applications on the network. Can we use this PKI for OPC UA ?

OPC UA or OPC DA in general is not my field, but trying to assist… so does anyone have any good documentation when it comes to PKI and OPC UA, hopefully with a MS PKI. Or should I only go for OPC UA GDS as I understand this is like “OPC UA” its own PKI system, or am I misunderstanding ?

 

Thanks for any reply.

 

/R

Andreas

Avatar
Randy Armstrong
Admin
Forum Posts: 1579
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
02/18/2020 - 09:12
sp_Permalink sp_Print

UA certificates require PKI infrastructure to manage.

You can use a GDS that is integrated with Microsoft PKI:
https://azure.microsoft.com/en…..-everyone/

Avatar
Ole Weel
Member
Members
Forum Posts: 4
Member Since:
03/18/2019
sp_UserOfflineSmall Offline
3
02/18/2020 - 11:04
sp_Permalink sp_Print

Hi,

 

Thanks for reply.

I have been looking at that, but correct me if I am wrong but this is for Azure environment.

Our environment is a “closed” network, it has no access to the internet.

Thanks for any reply.

 

/R

Andreas

Avatar
Randy Armstrong
Admin
Forum Posts: 1579
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
02/18/2020 - 19:11
sp_Permalink sp_Print

There is no reason why you cant use Microsoft PKI to generate certificates and manually install them for each application.

You just have to make sure the certificates have the correct fields such as the subjectAltName.

Avatar
Ole Weel
Member
Members
Forum Posts: 4
Member Since:
03/18/2019
sp_UserOfflineSmall Offline
5
02/19/2020 - 04:00
sp_Permalink sp_Print

Hi,

 

Ok I see, but should I have a OPC UA GDS system together with Microsoft PKI ? I am not familiar with OPC UA GDS so don`t know the process around this. Or is having both not necessary ?

 

Thanks again for answer.

 

/R

Andreas

Avatar
Randy Armstrong
Admin
Forum Posts: 1579
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
6
02/19/2020 - 08:23
sp_Permalink sp_Print

The GDS is a front end for whatever certificate management system you need to use. It provides a standard API which applications can be designed to use so it is no longer necessary to manually configure certificates or use mechanisms that only work with 1 vendor’s certificate management system.

If a GDS is not available then the fall back is manual configuration which is feasible for <10 computers. For any large system you need a GDS or security configuration will be a nightmare.

GE offers a standalone GDS. Other vendors will have products on the market soon plus you have the open source .NET GDS which you could update. I also believe the Azure GDS has a local version that would work for you. You need to check with MS.

Avatar
Ole Weel
Member
Members
Forum Posts: 4
Member Since:
03/18/2019
sp_UserOfflineSmall Offline
7
02/19/2020 - 22:55
sp_Permalink sp_Print

Hi,

Still not sure how everything is connected and the recommendations, and the possibility’s… sorry for lack of knowledge, but I am trying 🙂

So…..I could have the following scenarios

 

1. I have an environment with a Microsoft PKI system and I have several OPC UA servers, GDS is not available (As I understand it this is a own application/service) then I must use manual configuration. Each OPC UA server must send a request to the CA and I must sign a certificate.

2. I have an environment with a Microsoft PKI system and I have several OPC UA servers, GDS is available so, OPC UA servers will automatically register with this GDS software and automatically get certificates from the Microsoft PKI some how..

3. I have an environment with a GDS PKI system and I have several OPC UA servers, GDS is available so, OPC UA servers will automatically register with this GDS software and automatically get certificates from the GDS PKI system

 

Also regarding when it comes to PLC systems that communicate trough OPC UA, these do not have a Windows Operating system, how will these interact with a PKI system. Do they always have a Web Interface were i can make a certificate request from ?

 

Thanks for good support, and education me 🙂

/R

Andreas

Avatar
Randy Armstrong
Admin
Forum Posts: 1579
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
8
02/20/2020 - 15:14
sp_Permalink sp_Print

The registration process with the GDS requires administrator action, however, administrators are using a UI instead of copying files around. The UI can also remotely update Servers so you do not need to be logged onto the Server machine.

Unfortunately, the not every server supports the GDS API yet so some servers may still need to be manually configured, however, if users demand it the vendor should provide support for the GDS API in the future.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 21
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1445
Posts: 4889