Makers Blog

OPC UA Certificate “Push Management”

Martin PLCnext Team 14 September 2020 min. read
570 views 0 comments

In a previous article, OPC UA Local Discovery Servers (LDS) were introduced.

Global Discovery Servers (GDS) provide similar discovery features to Local discovery servers, but they also provide the ability to manage security certificates on multiple OPC UA servers from a single point.

This article demonstrates “GDS Push Management”, which allows security certificates to be “pushed” to an OPC UA server device.


There is a good introduction to OPC UA discovery servers in this article from Unified Automation:


Before following the steps in this article, you should understand:


For this example, the network setup is as follows:

OPC UA Server: AXC F 2152 FW 2020.6.1
IP address:
DNS name: axc-f-2152-1

OPC UA Client: Debian 10 PC

The PLC IP address and DNS name will be used throughout this article, but of course you should modify these for your own application.

Set up PLC DNS name

If your network does not include a DNS server, edit the hosts file on the OPC UA client machine.

The hosts file is located in the following directory:

  • Windows: C:\Windows\System32\drivers\etc\
  • Linux: /etc/

Add the following new DNS entry to the hosts file on the OPC UA Client machine (substituting the IP address and DNS name of your PLC): axc-f-2152-1

Check that the entry is correct by pinging the DNS name (not the IP address) of the PLC from the OPC UA client machine.

Install the OPC UA client software

This example uses UaExpert from Unified Automation:

Download and install UaExpert on the OPC UA client machine.

Configure the OPC UA Server in PLCnext Engineer

  1. In PLCnext Engineer, in the OPC UA configuration window, in the Security section, set:
    • “Certificate” to Provided by OPC UA GDS.
    • “IdentityStore name” to OpcUaGdsIdentityStore.
    • “TrustStore name” to OpcUaGdsTrustStore.
  2. Write the PLCnext Engineer project to the PLC.
  3. In the Web-Based Management system, the new Identity Store and Trust Store can now be seen on the “Certificate Authentication” page.

Configure the OPC UA Client

  1. Open UA Expert and connect to the OPC UA server in the usual way (not using a discovery server).
  2. In UA Expert, use the “Document -> Add…” menu to add a “GDS Push View” document.

You can now manage security certificates on the PLC, as an alternative to using the Web-Based Management window. It is also possible to create and download self-signed certificates from this view, as an alternative to using XCA.


The GDS Push Management feature – demonstrated here using UA Expert – is a feature that can be used today with all PLCnext Control devices.

Other OPC UA GDS implementations are provided by:


The Makers Blog shows applications and user stories of community members that are not tested or reviewed by Phoenix Contact. Use them at your own risk.


Please login/register to comment


Leave a Reply

Never miss a new article
Sign up for the newsletter
Never miss news about PLCnext Technology
Get interesting content via newsletter four times a year
Receive exclusive information before all other users