Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

Issue certificates fra Microsoft PKI

More
05 Mar 2020 12:29 #8267 by support
Hello.

1. GDS can function as PKI server, yes.

2. Yes.

3. This would be "server redundancy" in OPC UA terms. It is certainly possible, but in such case the OPC UA apps that connect to GDS will have to support the redundancy for that, plus the GDS will somehow have to have the ability to sync between its instances. This is not in my expertise area, and possibly not realistically implemented in existing products. You are probably concerned about having a central single point of failure in the system, but you need to keep in mind that the Key Management functionality of the GDS (which is what we are discussing here) isn't actually needed at every moment. You need it to enroll new clients/servers, and then to update their trust lists and certification revocation lists from time to time - which, depending on the security policy (I am guessing now, again it's not my expertise), may be normally done with period of several hours or even considerably longer, but in case of GDS failure the whole system can continue running, for a reasonable amount of time, with what the individual applications already have obtained.

Regards
The following user(s) said Thank You: andreas2012

Please Log in or Create an account to join the conversation.

More
04 Mar 2020 20:43 #8264 by andreas2012
Hi,

Well I must say you have enough knowledge to help me ... it seems, so I will keep asking questions if that's ok :)

You have given me a better picture of how it works, but still some things that is unclear to me...

1. You say "You can have GDS based on Microsoft PKI infrastructure, or something else."... does this mean you must have a PKI infrastructure in the back-end, or could you only have a GDS server and this will function also as a PKI server ?

2. When I have helped my colleges I have configured DCOM settings for Matrikon, Advosol, Kepware, RSlinx+++... and I guess these are all OPC Servers, and will after some time go over to OPC UA. As we have a lot of vendors, and as you say I can use any GDS with these vendors as long as their OPC UA application support GDS....right ?

3. If you implement a GDS server do you usually configure this in a cluster, so if one GDS server goes down, you still have another one up and running ?

Thanks again for teaching me how this works :)

/Regards
Andreas

Please Log in or Create an account to join the conversation.

More
04 Mar 2020 12:05 - 04 Mar 2020 12:07 #8263 by support
Hello,

I think the original venue would be better for you to discuss there - not only because it is the right place in terms of scope, but also (and I know it positively) there are people more knowledgeable than me who will answer you.

But anyhow.

GDS is specified in terms of how it communicates with other applications. It has a standardized interface (based on OPC UA as well, look for Part 12 of OPC UA specs) which, among other things, allows other OPC UA applications (both client and servers) to pull certificates from the GDS, push them to GDS (probably not your case), and obtain/update their ow trust lists.

How GDS does that is, intentionally, not standardized. You can have GDS based on Microsoft PKI infrastructure, or something else.
One GDS "type" will be fine to serve all OPC UA servers/clients, even from different vendors.

For this to work, you need to have the right GDS, and the OPC UA applications need to have support for this communication with GDS (instead of using manual certificate configuration, which is usually the default). Not all OPC UA application have that currently, but the market is clearly moving in that direction - because that's about the only way to handle any reasonably complicated installations.

Best regards
Last edit: 04 Mar 2020 12:07 by support. Reason: typo
The following user(s) said Thank You: andreas2012

Please Log in or Create an account to join the conversation.

More
04 Mar 2020 09:36 #8262 by andreas2012
Hi,

Yes same poster, did not fully understand the reply from opcfoundation thats why posting here.

But it starting to sink in now.... We have as of today 100+ OPC DA installations, with various vendors of OPC (Kepware, Siemens ++) and now these are going to transform over to OPC UA. So as of today 6 systems have converted to OPC UA, but these have created self signed certificates with 30 years of expiration ...hehe. Now as I understand just using Microsoft PKI and issue certificates to OPC UA servers/clients is a mess, or complicated... I have not gotten it to work.

So the best way would be to implemented what you call a GDS system and as I understand this can either integrate with Microsoft PKI, or it can live by itself ?

Since we have many different vendors, is it so that one GDS (whatever vendor) can serve all OPC UA vendors ?

Thanks for helping

Regards
Andreas

Please Log in or Create an account to join the conversation.

More
03 Mar 2020 15:23 #8261 by support
Hello,

are you the same poster as here?: opcfoundation.org/forum/opc-ua-standard/opc-ua-certification-windows-pki/#p2222 . - If not, please read it, it has some useful information.

This forum is for our QuickOPC product (client toolkit). QuickOPC uses certificate stores for its own certificate, trusted apps or trusted issuers etc., and by default, it generates it own self-signed certificate using OPC UA certificate generator tool. It also contains functionality to pull the client certificate and trust lists from OPC UA GDS.

In order to use Microsoft PKI with QuickOPC, the preferred way would be o deploy a GDS that integrates with Microsoft PKI, as mentioned in the link above. Other way to do it is to manually (or by other tools) configure QuickOPC to use the right certificates and trust lists and somehow assure that they are properly populated. It ca be done, but would probably be clumsy.

Best regards

Please Log in or Create an account to join the conversation.

More
03 Mar 2020 11:30 #8260 by andreas2012
Hi,

We have today a microsoft pki system on our local network, and i was hoping to use this system to publish certificates for our OPC UA systems.
I dont work with OPC UA, so I dont know how it works, but I work with PKI. I have a opc ua test server installed, (Advosol) and I have published a certificate to this machine, but when I try to use it I only get "BadNotSupported" so the system automatically generates its own self signed certificate.

So is there anyone out there that is using microsoft internal CA system to publish certificates to your opc ua systems ?

Thanks for reply

/R
Andreas

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.057 seconds