Question
How to use Self-signed certificate for Opc client/Opc server purposes
- Posted on March 28, 2023
- Development
Asked by Ahmad
Hi, I have used ssl to create a self-signed certificate (password protected) that last for very long years (this is because the opc server I am using auto-generates certs that are valid for one year only). I have added the generated cert to the windows to the Trusted Root Certification Authorities, but I have to add that to the Opc server (or the Opc client side) to make this certificate to be used by Opc server. (a sidenote here; this is just my understanding, for me to take this certificate to distribute to all PCs that I am going to install my Opc client on, it’s better to include the self-signed cert as part of the Opc client solution which is a .Net based solution, Do you agree?)
But the main part that I need help with is how to add this self-signed certificate that is password protected to the Opc server and/or to the Opc client solution?
Best regards.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We’d like to help.
Hi there,
It seems like you have a two-part question here: how to incorporate your self-signed certificate into your OPC server and client and whether it is a good idea to include this certificate as part of your client distribution.
Including the certificate in your OPC server/client: The specifics of this process can vary greatly depending on the exact OPC server/client software you are using. However, the general process usually involves some form of importing the certificate into the software. In some cases, this can be done through a GUI interface, while others may require placing the certificate file in a specific directory. I would recommend checking the documentation for your specific OPC server/client software for detailed instructions on this process.
Including the certificate as part of your client distribution: This can be a viable solution, but it does have potential security implications. Anyone who gets a hold of the client software will also have access to the certificate. If this certificate is used for sensitive communication, this could be a risk. If you decide to go this route, make sure to use a secure method for distributing your software to help mitigate this risk. It’s also important to ensure that the certificate file is stored securely on the client’s machine.
As a side note, while self-signed certificates can be useful for testing and development environments, they are generally not recommended for production use. This is because they do not provide the same level of trust as a certificate from a recognized Certificate Authority (CA). A self-signed certificate essentially says “trust me because I say I am who I claim to be”, whereas a CA-signed certificate says “trust me because this recognized authority has verified that I am who I claim to be”. If possible, I would recommend considering a CA-signed certificate for your OPC server/client in a production environment.
You should also consider rotating the certificates more often (like annually), even if it’s a bit more work. Long-lasting certificates can be a security risk if they get compromised and you are not aware of it. The damage a malicious entity could do over “very long years” could be quite substantial.
Best,
Bobby