This site uses cookies for functional purposes. To continue please read and agree to our Data Privacy.

By closing this message, you consent to our use of cookies on this device.

PLCnext on Instagram  PLCnext on YouTube Github PLCnext CommunityStore PLCnext Community


 How to create a Blog Entry

How to use your own Security Certificate with an OPC UA Server on a PLCnext Control

=== UPDATE ====

The guide below related to a version of PLCnext Firmware prior to version 2019.0 LTS. For information on how to manage OPC UA Server Certificates with the latest PLCnext Control firmware, please refer to the relevant section of the PLCnext Technology User Manual.

All PLCnext Controls include an embedded OPC UA server. This server, like all OPC UA servers, includes the option to establish secure connections with clients using Public Key Cryptography.

This guide describes how to use your own security certificate (including your own private key) to set up a secure OPC UA connection with a PLCnext Control.

The PLCnext Control embedded OPC UA Server requires X.509 certificates to ensure trusted communication with OPC UA clients. There are four main types of certificates that can be used:

Option 1 - Automatically generated self-signed certificate.

  • The required certificates are automatically created by the PLC.
  • Simple to set up.
  • Useful for testing and for permanent use on secure LANs.

Option 2 - Manually generated self-signed certificate.

  • No additional security benefits over Option 1, but gives the administrator more control over the management of certificates.

Option 3 - Certificate signed by your own Certificate Authority.

  • No additional security benefits over Options 1 and 2, but allows more structured management of certificates.

Option 4 - Certificate issued by a trusted Certificate Authority

  • Requires the purchase of a certificate from a trusted third-party Certificate Authority like Verisign. This is the recommended option for public or other unsecure networks.


NOTE: This guide describes procedures involving the use of private encryption keys. It is the responsibility of users of this guide to ensure that their private keys are stored securely, both in their master certificate repository and on the PLCnext Technology controller.

  • A basic understanding of Public Key Cryptography and X.509 certificates.
  • A basic understanding of OPC, and (specifically) OPC UA technology.

The procedures described in this guide use the following hardware and software:


Option 1 - Automatically generated self-signed certificate

  • This is the the default option when creating a new project in PC Worx Engineer.

  • Follow the procedure for installing an OPC UA server in the video on the Technical Support YouTube channel.

  • Note that this option uses certificates located in the following directory on the PLCnext Control:


Option 2 - Manually generated self-signed certificate

  1. Open a Secure Shell session on the PLCnext Control.

  2. Copy the contents of the directory used in Option 1, to an alternative location. This copies the directory structure and default certificates required by the OPC UA server:

    cp -r /etc/plcnext/certificates/opcua /opt/plcnext/certificates/opcua

  3. In PC Worx Engineer, change the OPC UA server "Certificate" field from "Self signed" to "File". This configures the controller to look for certificate information in the alternative location /opt/..., rather than in the default location /etc/....

  4. Download the PC Worx Engineer project to the controller.

  5. It is now possible to connect to the OPC UA server using the same procedure referenced in Option 1 above. Note that, at this stage, the OPC UA server is using a copy of the self-signed certificates that were generated automatically by the controller.

  6. In XCA, create a new self-signed certificate from the "Certificates" tab. An example of a certificate is shown in the screenshots below.

    • Open (or create) a database under the menu item "File".
    • In the dialog box, go to the Certificate tab and click the "New Certificates" button: Create New Certificate
    • In the next dialog box, the Source tab will be active. The Signing option "create a self signed certifiate" should already checked by default: Create Certificate Source
    • Switch to the Subject tab, click the "Generate a new key" button. This generates a unique private key for this certificate: Create Certificate Subject
    • In the "Extensions" tab, set the Validity of the certificate to the required period and put an entry into the field "X509v3 Subject Alternative Name". This field must not be empty, this is a requirement of the OPC UA specification. Create Certificate Extensions
  7. After the certificate is created, select the certificate in the main XCA window and click "Export". There are two files that must be exported:

    • The certificate, in the format "PEM (*.crt)". The exported file must be named "eUAServer.cer" (note the change of file name extension): Export Certificate
    • The certificate and the unencrypted private key, in the format "PEM + key (*.pem)". The exported file must be named "eUAServer.cer.pkey": Export Certificate Key
  8. Using WinSCP (Windows) or scp (Linux), copy the files to the controller, replacing the following files created earlier:


  9. Restart the controller.

It is now possible to connect a client to the OPC UA server using this manually created self-signed certificate.

Option 3 - Certificate signed by your own Certificate Authority.

  • In XCA, it is possible to create your own Certificate Authority (CA), and then sign your certificates using this CA. This follows a procedure similar to Option 2, but when exporting the .cer file the export format must be "PEM chain (*.pem)".

NOTE: The OPC UA client will complain that the root (CA) Certificate can not be validated, but this error can be ignored.

Option 4 - Certificate issued by a trusted Certificate Authority

  • In this case, the certificate is purchased from, and signed by, a trusted Certificate Authority. This certificate must be converted to the formats described above in Option 2 for use by the OPC UA server.

That's it.
Any questions? Let us know!


  1. How to use WinSCP

Background reading

  1. Public-key cryptography

  2. X.509

  3. What is OPC?

  4. OPC Unified Architecture

  5. The OPC UA Security Model For Administrators