Log In
Home
03/18/2019
Offline
Hi,
We have an Microsoft PKI system for certificates for 3 part applications on the network. Can we use this PKI for OPC UA ?
OPC UA or OPC DA in general is not my field, but trying to assist... so does anyone have any good documentation when it comes to PKI and OPC UA, hopefully with a MS PKI. Or should I only go for OPC UA GDS as I understand this is like "OPC UA" its own PKI system, or am I misunderstanding ?
Thanks for any reply.
/R
Andreas
05/30/2017
Offline
UA certificates require PKI infrastructure to manage.
You can use a GDS that is integrated with Microsoft PKI:
https://azure.microsoft.com/en.....-everyone/
03/18/2019
Offline
Hi,
Thanks for reply.
I have been looking at that, but correct me if I am wrong but this is for Azure environment.
Our environment is a "closed" network, it has no access to the internet.
Thanks for any reply.
/R
Andreas
05/30/2017
Offline
There is no reason why you cant use Microsoft PKI to generate certificates and manually install them for each application.
You just have to make sure the certificates have the correct fields such as the subjectAltName.
03/18/2019
Offline
Hi,
Ok I see, but should I have a OPC UA GDS system together with Microsoft PKI ? I am not familiar with OPC UA GDS so don`t know the process around this. Or is having both not necessary ?
Thanks again for answer.
/R
Andreas
05/30/2017
Offline
The GDS is a front end for whatever certificate management system you need to use. It provides a standard API which applications can be designed to use so it is no longer necessary to manually configure certificates or use mechanisms that only work with 1 vendor's certificate management system.
If a GDS is not available then the fall back is manual configuration which is feasible for <10 computers. For any large system you need a GDS or security configuration will be a nightmare.
GE offers a standalone GDS. Other vendors will have products on the market soon plus you have the open source .NET GDS which you could update. I also believe the Azure GDS has a local version that would work for you. You need to check with MS.
03/18/2019
Offline
Hi,
Still not sure how everything is connected and the recommendations, and the possibility's... sorry for lack of knowledge, but I am trying 🙂
So.....I could have the following scenarios
1. I have an environment with a Microsoft PKI system and I have several OPC UA servers, GDS is not available (As I understand it this is a own application/service) then I must use manual configuration. Each OPC UA server must send a request to the CA and I must sign a certificate.
2. I have an environment with a Microsoft PKI system and I have several OPC UA servers, GDS is available so, OPC UA servers will automatically register with this GDS software and automatically get certificates from the Microsoft PKI some how..
3. I have an environment with a GDS PKI system and I have several OPC UA servers, GDS is available so, OPC UA servers will automatically register with this GDS software and automatically get certificates from the GDS PKI system
Also regarding when it comes to PLC systems that communicate trough OPC UA, these do not have a Windows Operating system, how will these interact with a PKI system. Do they always have a Web Interface were i can make a certificate request from ?
Thanks for good support, and education me 🙂
/R
Andreas
05/30/2017
Offline
The registration process with the GDS requires administrator action, however, administrators are using a UI instead of copying files around. The UI can also remotely update Servers so you do not need to be logged onto the Server machine.
Unfortunately, the not every server supports the GDS API yet so some servers may still need to be manually configured, however, if users demand it the vendor should provide support for the GDS API in the future.
1 Guest(s)
Usage Policy