Professional Communication
Software Development Tools

OPC Foundation member and certified logos

lupa

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions or issues. You do not have to own a commercial license in order to use the OPC Labs supportOur team is actively monitoring the forums, and provides replies as soon as possible.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible.

Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

Client supplied certificate instead of username and password

More
09 Jan 2026 18:29 #14537 by Cwardltu
Replied by Cwardltu on topic Client supplied certificate instead of username and password
Yes I have been meaning to get back to you. Thank you so much for the indepth responce this got me 90% of they way there. the one thing missing was the certs were not being correctly generated. I have included the script i ran that generated the cert with all the extensions needed to work with prosys.
Code:
set openssl="C:\Program Files\OpenSSL-Win64\bin\openssl.exe" :: 1. Generate Private Key %openssl% genrsa -out user_private_key.pem 2048 :: 2. Generate Certificate with required OPC UA Extensions :: NOTE: Multiple -addext flags are used to ensure the validator sees all required fields. %openssl% req -x509 -new -nodes -key user_private_key.pem -days 365 ^   -out user_certificate.pem ^   -subj "/C=US/O=MyCompany/CN=John Doe" ^   -addext "keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" ^   -addext "extendedKeyUsage = clientAuth" ^   -addext "basicConstraints = critical, CA:FALSE" :: 3. Convert to DER (Standard format for OPC UA trust stores) %openssl% x509 -in user_certificate.pem -outform der -out user_certificate.der :: 4. Convert to PFX (For importing into your Client Application) %openssl% pkcs12 -export -keypbe NONE -certpbe NONE -nomaciter -passout pass: ^   -out user_certificate.pfx -inkey user_private_key.pem -in user_certificate.pem -name "John Doe"

Thanks,
Connor
The following user(s) said Thank You: support

Please Log in or Create an account to join the conversation.

More
09 Jan 2026 16:26 #14536 by support
Replied by support on topic Client supplied certificate instead of username and password
Hello,

I just wonder if you had an opportunity to try out what I described in my latest post. Have you made it work, or do you need anything else?

Best regards

Please Log in or Create an account to join the conversation.

More
02 Jan 2026 13:21 #14533 by support
Replied by support on topic Client supplied certificate instead of username and password
Hello.

I have documented the code, and steps needed to make it work with Prosys OPC UA Simulation Server, here:  kb.opclabs.com/Authenticating_with_OPC_UA_user_certificate_i...rosys_OPC_UA_Simulation_Server

I hope it helps.
Best regards
 

Please Log in or Create an account to join the conversation.

More
29 Dec 2025 21:04 #14527 by support
Replied by support on topic Client supplied certificate instead of username and password
Hello.

I do not quite understand what you mean. There is just one way to use certificates for user authentication in OPC UA, and that is what the WithX509CertificateIdentity method does.

I will try to set it up here with the Prosys simulation server, and document the steps.

Best regards
 

Please Log in or Create an account to join the conversation.

More
29 Dec 2025 20:09 #14526 by Cwardltu
Replied by Cwardltu on topic Client supplied certificate instead of username and password
Additionally, I was reading the documentation it seems like the property WithX509CertificateIdentity is not using the cert as authentication. it is taking the user identity from a value in the file from my understanding. This wont work for what I am looking for. is there a way to use the cert as the form of authentication? 

Please Log in or Create an account to join the conversation.

More
29 Dec 2025 13:44 #14525 by Cwardltu
Replied by Cwardltu on topic Client supplied certificate instead of username and password
prosysopc.com/products/opc-ua-simulation-server/


This is the one I am using. it has cert auth. Currently I can not get it to work. I'm probably setting it up wrong. 

Please Log in or Create an account to join the conversation.

More
24 Dec 2025 09:35 #14520 by support
Replied by support on topic Client supplied certificate instead of username and password
Hello.

Which ProsysOPC server you intend to use? I will investigate the same product.

Regards

Please Log in or Create an account to join the conversation.

More
23 Dec 2025 19:04 #14519 by Cwardltu
Replied by Cwardltu on topic Client supplied certificate instead of username and password
I started looking into useing prosys server. it looks as though they support certificate auth. 

I am still having issues connecting. I have everything in place. it should work.

I too am going to continue this after the holidays. please let me know if you got it working.

Please Log in or Create an account to join the conversation.

More
23 Dec 2025 15:11 #14518 by support
Replied by support on topic Client supplied certificate instead of username and password
Hello.

I had an initial look. You are right that KepServerEx does not have user authentication via certificates out of the box; but I found this:

support.ptc.com/help/kepware/kepware_server/en/index.html#pa...e/server/uag-certificates.html

So one would have to add the UA Gateway ( www.ptc.com/en/resources/iiot/manufacturing/kepware/infographic/ua-gateway ) possibly?

Best regards
 

Please Log in or Create an account to join the conversation.

More
23 Dec 2025 14:48 #14517 by Cwardltu
Replied by Cwardltu on topic Client supplied certificate instead of username and password
Save you some time, 

Kepserver does not support certificate user authentication so i am moving to prosys.

 

Please Log in or Create an account to join the conversation.

Moderators: supportvaclav.zaloudek
Time to create page: 0.136 seconds