Skip to content

Connecting to a PLCnext OPC UA server with Basic256Sha256 using UaExpert

jordyharmelinkjordyharmelink
in PLCnext Technology & PLCnext Controls

Hello,

I want to use a PLC running a OPC UA server, with multiple PLCs as clients communicating with the server. I have gotten this to work using the Basic256Sha256 by copying the certificates between the clients and server. However I have not been able to get UaExpert working with the same security policy, I am getting the error 'BadSecurityChecksFailed was returned during OpenSecureChannel' in UaExpert.

I am able to connect to the PLCnext OPC UA server using UaExpert when the security policy is set to none, but that is not ideal for obvious reasons. I am guessing that i need to copy a certificate from UaExpert to the PLCnext server. Does anyone have experience with this, or does anyone know where I can look to find more about this?

Comments

  • Martin [PLCnext Technology Team]Martin [PLCnext Technology Team]

    In the OPC UA server settings, does the value in the DNS name / IP address field match the DNS name or IP address that you are using to access the server from UA Expert?

    image.png

    The value in this field is written into the UA Server self-signed certificate. UA clients will check this value in the certificate against the URL that was used to access the server, and if the values don't match then either (a) an error will appear - like in UA Expert - and/or (b) the client will simply refuse to connect.

  • jordyharmelinkjordyharmelink

    Hey Martin,

    Thanks for your response. I found that I could connect to the server when the Trust Store certificates of the PLC OPC UA clients were removed, as the server will now not check if the client requesting the connection has a certificate in the Trust Store. So it is working right now with the Basic256Sha256 security policy.

    I was wondering if you know if it is possible to add a certificate from UaExpert to the Trust Store of the server. As the only certificate I can find in UaExpert is a .der certificate and PLCnext wants a .crt or .pem

  • phoffmannphoffmann

    You can convert .der into .pem and vice versa using openssl, see x509 - How to connect to an OPC-UA server which requires certificate based user authentication using node-opcua based client - Stack Overflow

Sign In or Register to comment.