Prevent expired OPC UA certificates halting your production line

 Originally published on August 03, 2021 by Shaun Behrens
Last updated on August 31, 2021 • 5 minute read

In recent times, OPC UA has become widely-adopted in industrial IT environments. In short, it provides a common communication standard that allows elements from various parts of the industrial infrastructure to communicate with one another. One of the most basic aspects of OPC UA are the OPC UA certificates, which provide a level of security between communicating components. But what happens when these certificates expire? And how can you monitor them so that you always know what their status is?

What are OPC UA certificates?

We won't go into too much detail here, since it is based on certification-based encryption that is common in IT. But for some clarification, here is the definition of an OPC UA certificate, as defined in the OPC UA Online Reference

A Certificate is an electronic ID that can be held by an OPC UA Application. The ID includes information that identifies the holder, the issuer, and a unique key that is used to verify Digital Signatures created with the associated Private Key. The syntax of these Certificates conforms to the X.509 specification and as a result these Certificates are also called “X.509 Certificates”.

Essentially, these certificates allow communication between OPC UA applications. The concept is based on Asymmetric Cryptography, where a private and public key is used to ensure that the applications communicating are authorized to do so. For a more detailed (and elegant) explanation, refer to the above-mentioned OPC UA Online Reference.  

To ensure a higher level of security, certificates can have an expiration date, at which point they must be replaced by new certificates. As a general rule of thumb, this should occur fairly regularly. 

Managing the certificate expiration date

While configuring regular expiration dates is best practice for increased security, there is a danger that comes with this: when certificates expire, communication between applications is no longer possible. And this can potentially have a negative impact in an industrial environment.

For example: machines on the factory floor might be connected to a Programmable Logic Controller (PLC) using OPC UA, and the PLC might connect to controller systems (like MES, SCADA or an ERP) using OPC UA. If OPC UA certificates expire, it could be that these connections cannot be established. Depending on your architecture, expired certificates can affect communication on the shop floor, or even lead to a halt in the production in some cases.  

Because of this, keeping an eye on the expiration date of OPC UA certificates is crucial.  

Monitoring OPC UA certificates with PRTG

Paessler PRTG monitoring solutions include the capability to monitor various aspects of OPC UA, and one of these aspects is certificates. With the OPC UA Certificate sensor, you can get details of a certificate on an OPC UA server, such as the number of days to expiry, whether or not it is self-signed, and the public key length. You can also set up alerts that will warn you when the certificate is approaching expiry. 

In the below video, my colleague, Johannes, shows you in around two minutes how to set the sensor up, and what information you get from it: 


Do you utilize OPC UA in your environment? How do you track the expiration dates of your OPC UA certificates. Let me know in the comments below!