Skip to content

OPC-UA Security

Encrypted Connections

The OPC-UA Device Service also supports signed and encrypted connections with the following security levels:

Key/Certificate Pair

You can provide the key/certificate pair as .der files, in the /keys directory in the container. To generate a private key and certificate, enter the following commands:

If several key/certificate pairs are provided, the specific certificate and key to use can be specified during device provisioning, allowing different devices to use different key/certificate pairs. If not specified during device provisioning, the certificate defaults to certificate.der and the private key defaults to private_key.der.

The key/certificate pair persists for the life of the container.

Any server that you connect to must set the certificate used by the Device Service as trusted.

Generating a Key/Certificate

The Open62541 OPC-UA library contains a script for generating a Key and Certificate for use with Prosys OPC-UA Simulation Server. Both the create_self-signed.py and localhost.cnf files should be downloaded from this repository. Once saved, run the following command to generate the key and certificate:

python3 create_self-signed.py
Once generated, save the key and certificate to a keys/ directory on your computer. It may be necessary to create a new directory for this.

Assigning the keys/ directory

Make a local copy of the docker-compose.yml file stored in etc/edgexpert and save this in your local directory. Open your local copy and search for the device-opc-ua entry. Add the following line to "volumes" to the entry, informing Edge Xpert of where to look for your key/certificate pair:

volumes:
  - /your/path/to/keys/:/keys/
Replace the text to the left of the colon with the path to your keys/ directory.

Establishing a secure connection with Prosys OPC-UA Simulation Server

Start the device service and provision your device as described on the OPC-UA Security Example page.

It is likely that the connection will be rejected by the OPC-UA device service. This is because the certificate is not trusted and has been rejected by Prosys.

Fix this by going to Prosys and switching to "Expert Mode" under "Options". Navigate to "Certificates", you should see your certificate on the left. Right-click on the rejected certificate and select "Trust".

Next time the device service attempts to connect, a secure connection will be made with the trusted certificate. This can be achieved with a GET or PUT request.

Back to top