How to modify the Aspen InfoPlus.21 OPC UA Server certificate Expiration Date?

Download as pdf : 
Products: Aspen InfoPlus.21 
Last Updated: 10-Feb-2026
Versions: 
Article ID: 000103226
Primary Subject: 

Installation of V14.0 or above IP.21 OPC UA Server certificate with expiration date greater than 1 year.

The V14.0 or above IP.21 OPC UA server certificate has a default expiration date of 1 year. If a certificate with higher expiration date is required, then the default certificate of IP.21 OPC UA Server should be uninstalled first, and then a new certificate with 5-year expiration should be created and installed manually.

In V14 or above versions, the Store Type of IP.21 OPC UA Server certificate is Directory, and the Store Path is 'C:\ProgramData\OPC Foundation\CertificateStores'. These details are configured in the OPC UA configuration file for IP.21 OPC UA Server at C:\ProgramData\AspenTech\InfoPlus.21\db21\group200\tsk_opcua_server.opcua.config.xml

Steps to uninstall certificate of V14.0 or above IP.21 OPC UA Server

  1. Stop TSK_OPCUA_SVR from IP.21 Manager
  2. Open Command Prompt with Admin right and perform the following steps
    • Change folder to C:\Program Files\AspenTech\InfoPlus.21\db21\code
    • Run command 
      IP.21OpcUAServerHost.exe /uninstall

    Ignore any errors in the above step.
  3. Verify the ‘AspenTech InfoPlus21 OPC UA Server’ certificate is removed from the folders below
    • C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs
    • C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private
    • C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs
    If the certificate still exists in the above folder, then delete it.

Steps to create and install new certificate of V14.0 or above IP.21 OPC UA server

An IP.21 OPC UA Server certificate with higher expiration date can be created with the help of Opc.Ua.CertificateGenerator.exe from OPC Foundation that is distributed along with IP.21 OPC UA Server. The -lm argument to Opc.Ua.CertificateGenerator.exe is used to configure the expiration date.

Please follow the steps below to create a V14.0 or above IP.21 OPC UA server certificate with higher expiration date.


A screenshot of a computer programDescription automatically generated
  1. Open Command Prompt with Admin rights.
  2. Create a new folder in C: using command 
    mkdir c:\temp
     
  3. Change to directory that contains IP.21OpcUAServerHost.exe using command 
    CD "C:\Program Files\AspenTech\InfoPlus.21\db21\code"
  4. Create a new certificate for IP.21 OPC UA server using Opc.Ua.CertificateGenerator.exe with 60 months (5 years) expiration with command below:
    "C:\Program Files\AspenTech\InfoPlus.21\db21\code\Opc.Ua.CertificateGenerator.exe" -cmd issue -sp c:\Temp -an IP.21OpcUAServerHost.exe -sn CN="AspenTech InfoPlus21 OPC UA Server/O=AspenTech/DC=%COMPUTERNAME%" -au "urn:%COMPUTERNAME%:AspenTech:InfoPlus21:UA:Server" -dn "%COMPUTERNAME%" -hs 256 -ks 2048 -lm 60
  5. Verify AspenTech InfoPlus21 OPC UA Server certificate is created in the folders below:
    • C:\temp\certs
    • C:\temp\private

  6. Select the AspenTech InfoPlus21 OPC UA Server in C:\temp\certs and double click to view the certificate. Switch to Details tab, select 'Valid to' field and verify the certificate has 5-year expiration date.

  • Perform the steps below to move the certificate into the Store Path of IP.21 OPC UA Server:
    • Copy AspenTech InfoPlus21 OPC UA Server certificate from C:\temp\certs\ to C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs
    • Move AspenTech InfoPlus21 OPC UA Server certificate from C:\temp\certs\ to C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs
    • Move AspenTech InfoPlus21 OPC UA Server private key from C:\temp\private\ to C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private
    • Tidy up C:\temp (remove empty certs and private folders)
  • Perform the steps below to install certificate:
    1. Select AspenTech InfoPlus21 OPC UA Server certificate in C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs and right click on it.
    2. Select Install Certificate
    3. Select 'Current User' as Store Location and click Next
    4. Select 'Automatically select the certificate store based on the type of certificate.' and click Next
    5. Click Finish
  • Start TSK_OPCUA_SVR from IP.21 Manager.
  • Verify there is just single pfx file named ‘AspenTech InfoPlus21 OPCUA Server...’ in C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private
    Note: If there are more than one certificate of ‘AspenTech InfoPlus21 OPCUA Server..’, then the manually created certificate is incorrect.