Using OpcCmd Utility for OPC UA Administration

From OPC Labs Knowledge Base
Jump to navigation Jump to search

Under construction: Parts are missing.

How to: Make a rejected certificate trusted

If you do not set up the trust between the OPC UA applications (client and server) upfront, you often end up with other party's application certificate being rejected (for example, the OPC UA client will reject the OPC UA server's certificate when you try to connect securely to a new server). As a convenience, the actual certificate provided by the other party is stored into the so-called Rejected certificate store. If you know that this certificate, in fact, should be trusted, you can move it to the Trusted peers certificate store. Next time, it will not be rejected.

There are multiple ways to move the certificate, and the procedures differ depending on the type of certificate store involved (platform-specific, or a directory). The steps described below work with the default configuration of OPC UA applications that target .NET Framework (or COM applications). Such applications share a common group of certificate stores, located in a dedicated directory in the file system. Any file manipulation tool can be used for move and copy operations with the certificates, but it might be somewhat difficult to find the right directory and navigate between the sub-directories of the directory certificate stores. With the OpcCmd Utility,you can make the rejected certificate trusted in just a few steps.

  1. At the OpcCmd> prompt, enter uaAdministration pki applicationStoreGroup --kind LegacyDirectoryCommon, or shortened: uaa pki asg -k LegacyDirectoryCommon. This command tells the utility that from now on, we will be accessing the common group of PKI stores for the OPC UA applications written for .NET Framework with the use of OPC Foundation's UA stack and SDK. The program responds with a confirmation of the command.

    All following commands are entered at the pkiApplicationStoreGroup> prompt. You can enter -?, -h or --help (possibly preceded by the command name) at any time to obtain help for this prompt (or its commands).