Skip to main content

Establishing a secure connection

Ensure that the security mode and security policy

Ensure certificates are trusted by both client and server

In OPC UA communication, secure connections rely on mutual certificate recognition between the client and server:

  • Client Certificate Known by Server: The OPC UA server needs to have the client's certificate registered or listed in its trusted certificates. This enables the server to validate the client's identity when it tries to connect. If the client's certificate is not in the server's list of trusted certificates, the server may deny the connection, allowing only authorized clients to connect.

  • Client Needs to Know the Server Certificate: The OPC UA client must also have the server's certificate in its list of trusted certificates. This allows the client to verify that it is connecting to the correct server, protecting against unauthorized access.

  • In certain OPC UA implementations, such as @opcua/for-node-red, server certificates are accepted automatically by default. This feature facilitates easier setup and testing by bypassing manual certificate verification. However, for production environments, careful management and verification of server certificates are recommended to maintain secure connections.

In the context of OPC UA communication using @opcua/for-node-red, while the server certificates are automatically accepted by the client, the client's certificate must still be manually added to the server's trusted certificates list for a secure connection to be established. This is a key step in ensuring that the server recognizes and trusts the client.

@opcua/for-node-red provides a convenient feature to download its client certificate in either PEM or DER format. This certificate, representing the public key of the client, needs to be installed on the server to facilitate trusted communication. Here's how it typically works:

  • Downloading the Client Certificate: Within @opcua/for-node-red, you have the option to download the client certificate. This can be done in either PEM (Privacy-Enhanced Mail) or DER (Distinguished Encoding Rules) format, both of which are standard formats for SSL certificates.

  • Installing the Client Certificate on the Server: Once you have the client certificate, it needs to be added to the trusted certificates list on the server side. The process for this can vary depending on the specific OPC UA server you are using. Therefore, it is recommended to refer to the server's documentation for guidance on where and how to install this certificate.

By adding the client certificate to the server's trusted list, you are effectively informing the server that the client is authorized to establish a secure connection. This step is crucial for maintaining the integrity and security of the data exchange between the OPC UA client (@opcua/for-node-red) and server.

Secure connections:

When using a secure connection to the OPCUA server, you'll have to make sure that the server certificate is trusted by the client and that the client certificate is trusted by the server.

This is needed to ensure that the connection is secure and that the data is not intercepted by a third party.

Client and Server uses public key stored in certificates of the other party and its own private key to encrypt and decrypt data.

If the @opcua/for-node-red client certificate is not trusted by the server, the server will refuse the connection.

   connection to endpoint opc.tcp://machine:4840 could not be established

ensuring that the @opcua/for-node-red client certificate is trusted by the server

If you are using a "Sign" or "SignAndEncrypt" connection to the OPCUA Server, you'll have to make sure that your client certificate is trusted by the server.

This can be done by copying the client certificate of your @opcua/for-node-red instance to the server and adding it to the trusted certificates folder in the PKI of the server.

The client certificate can be found in the "pki" folder of the OPCUA Endpoint node.

The certificate is named client_certificate.pem and is located in the PKI folder (see above) at this location PKI/own/certs/

Refers to your server documentation to know where to copy the client certificate.

ensuring that @opcua/for-node-red trusts the server certificate

Similarly, if you are using a "Sign" or "SignAndEncrypt" connection to the OPCUA Server, you'll have to make sure that the server certificate is trusted by the client. By default, @opcua/for-node-red is setup to automatically accept any server certificate. This can be changed by setting the "rejectUnauthorized" option to true the global settings of the OPCUA Endpoint node. ( available to Pro version only)