The V14.0 IP21 OPC UA server certificate has a default expiration date of 1 year. If a certificate with higher expiration date is required, then the default V14.0 certificate of Ip21 OPC UA Server should be uninstalled first, and then, a new certificate with 5-year expiration should be created and installed manually.
In V14 or above versions, the Store Type of IP21 OPC UA Server certificate is Directory, and the Store Path is 'C:\ProgramData\OPC Foundation\CertificateStores'. These details are configured in the OPC UA configuration file for IP21 OPC UA Server at C:\ProgramData\AspenTech\InfoPlus.21\db21\group200\tsk_opcua_server.opcua.config.xml
1. Stop TSK_OPCUA_SVR from IP21 Manager
2. Open Command Prompt with Admin right and perform the following steps
2.1 Change folder to C:\Program Files\AspenTech\InfoPlus.21\db21\code
2.2 Run command IP21OpcUAServerHost.exe /uninstall
Ignore any errors in the above step.
3. Verify the ‘AspenTech InfoPlus21 OPC UA Server’ certificate is removed from the folders below
- C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs
- C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private
- C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs
If the certificate still exists in the above folder, then delete it.
An IP21 OPC UA Server certificate with higher expiration date can be created with the help of Opc.Ua.CertificateGenerator.exe from OPC Foundation that is distributed along with IP.21 OPC UA Server. The -lm argument to Opc.Ua.CertificateGenerator.exe is used to configure the expiration date.
Please follow the steps below to create a V14.0 IP.21 OPC UA server certificate with higher expiration date.
1. Open Command Prompt with Admin rights.
2. Create a new folder in C: using command mkdir c:\temp
3. Create a new certificate for IP.21 OPC UA server using Opc.Ua.CertificateGenerator.exe with 60 months (5years) expiration with command below:
"C:\Program Files\AspenTech\InfoPlus.21\db21\code\Opc.Ua.CertificateGenerator.exe" -cmd issue -sp c:\Temp -an IP21OpcUAServerHost.exe -sn "CN=AspenTech InfoPlus21 OPC UA Server/O=AspenTech/DC=%COMPUTERNAME%" -au "urn:%COMPUTERNAME%:AspenTech:InfoPlus21:UA:Server" -dn "%COMPUTERNAME%" -hs 256 -ks 2048 -lm 60
4. Verify AspenTech InfoPlus21 OPC UA Server certificate is created in the folders below:
- C:\temp\certs
- C:\temp\private
5. Select the AspenTech InfoPlus21 OPC UA Server in C:\temp\certs and double click to view the certificate. Switch to Details tab, select 'Valid to' field and verify the certificate has 5-year expiration date.
6. Perform the steps below to copy the certificate into the Store Path of IP21 OPC UA Server:
- Copy AspenTech InfoPlus21 OPC UA Server certificate from C:\temp\certs\ To C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs
- Copy AspenTech InfoPlus21 OPC UA Server certificate from C:\temp\certs To C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs
- Copy AspenTech InfoPlus21 OPC UA Server private key from C:\temp\private to C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private
- Delete folder C:\temp
7. Perform the steps below to install certificate:
7.1 Select AspenTech InfoPlus21 OPC UA Server certificate in C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs and right click on it.
7.2 Select Install Certificate
7.3 Select 'Current User' as Store Location and click Next
7.4 Select 'Automatically select the certificate store based on the type of certificate.' and click Next
7.5 Click Finish
8. Start TSK_OPCUA_SVR from IP21 Manager.
9. Verify there is just single certificate ‘AspenTech InfoPlus21 OPCUA Server.’ in C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private.
Note: If there are more than one certificate of ‘AspenTech InfoPlus21 OPCUA Server..’, then the manually created certificate is incorrect.