Ai-OPs
// Home// About// Platform// Marketplace// Developer// Support// License
// Portal
Docs
/
Protocols
/

OPC-UA Certificates

OPC-UA Certificates

When connecting to an OPC-UA server with a security mode other than None, Koios uses X.509 certificates to establish trust. The server verifies Koios's client certificate, and in some cases Koios verifies the server's certificate as well.

Certificates are only required when the Security Mode is set to Sign or Sign & Encrypt. If you're connecting with Security Mode None, no certificate is needed.

Koios manages certificates centrally — you create them once and assign them to any number of OPC-UA devices.

Managing Certificates

The certificate manager is found on the OPC-UA protocol detail page under the Certificates tab. Navigate to Protocols and select OPC-UA to access it.

The certificates table shows all available client certificates with their name, common name, expiry date, the number of devices using each one, and their current status.

Certificate Status

Each certificate shows one or more status badges:

BadgeMeaning
ValidThe certificate is within its validity period and ready to use
ExpiredThe certificate has passed its expiry date and should be regenerated or replaced
Missing FilesThe certificate or private key file is not present on disk — downloads will be unavailable

One certificate is always marked as the default (indicated by a star icon). Devices that don't have a specific certificate assigned will use the default certificate automatically.

Generating a Certificate

The simplest way to get started is to let Koios generate a self-signed certificate.

  1. On the Certificates tab, click Generate
  2. Enter a Name for the certificate (e.g. "Plant A Certificate")
  3. Optionally enter a Description
  4. Optionally enter a Hostname — this is used in the certificate's Common Name and Application URI. If left blank, Koios uses the system hostname
  5. Click Generate

The new certificate appears in the table immediately and can be assigned to devices. Generated certificates are self-signed — most OPC-UA servers require you to explicitly trust them before they'll accept a secure connection (see Establishing Trust below).

Uploading a Certificate

If you have an existing certificate and private key (e.g. issued by your organization's CA), you can upload them.

  1. On the Certificates tab, click Upload
  2. Enter a Name for the certificate
  3. Optionally enter a Description
  4. Select the Certificate File — DER or PEM encoded X.509 certificate (.der, .pem, .crt, or .cer)
  5. Select the Private Key File — PEM encoded private key (.pem or .key)
  6. Click Upload

Viewing Certificate Details

Click any row in the certificates table to open a detail drawer showing:

  • Common Name — the X.509 subject CN
  • Organization — the organization field, if present
  • Application URI — the OPC-UA application URI embedded in the certificate
  • Validity — the "Valid From" and "Valid Until" dates
  • Assigned Devices — how many devices are using this certificate

Downloading Certificate Files

If the certificate files exist on disk, the detail drawer shows download buttons:

  • Certificate (.der) — the public certificate file, which you may need to import into OPC-UA servers for trust
  • Private Key (.pem) — the private key file. Only download this when necessary (e.g. for backup) — anyone with the private key can impersonate Koios to your OPC-UA servers.

Regenerating a Certificate

If a certificate has expired or been compromised, you can regenerate it in place. This creates a new key pair and certificate while keeping the same name and device assignments.

  1. Open the certificate's detail drawer
  2. Click Regenerate Certificate
  3. Confirm the action

Deleting a Certificate

  1. Open the certificate's detail drawer
  2. Click Delete Certificate (this button is hidden for the default certificate — the default cannot be deleted)
  3. Confirm the action

Devices that were assigned to the deleted certificate will fall back to the default certificate.

Assigning Certificates to Devices

Certificates are assigned on each OPC-UA device's Configuration tab.

  1. Navigate to the device's detail page
  2. On the Configuration tab, set the Security Mode to Sign or Sign & Encrypt — the certificate selector appears
  3. Choose a certificate from the Client Certificate dropdown, or leave it blank to use the default
  4. You can also click the + button next to the dropdown to generate a new certificate without leaving the device page
  5. Save the configuration

Establishing Trust with OPC-UA Servers

Most OPC-UA servers won't accept a secure connection from an unknown client. After generating or uploading a certificate in Koios, you typically need to:

  1. Download the Koios client certificate (.der file) from the detail drawer
  2. Import it into the OPC-UA server's trusted certificates folder — the exact location depends on the server software
  3. Restart the OPC-UA server if required (some servers pick up new trusted certificates automatically)

Some servers support an "accept on first connect" workflow where they automatically move rejected certificates to a pending folder. In that case:

  1. Trigger a connection attempt from Koios — either enable the device or click Test on the device's Configuration tab. The connection will fail with a message like "Certificate rejected by server"
  2. On the OPC-UA server, find the rejected certificate and move it to the trusted folder
  3. Koios will automatically connect on the next scan cycle if the device is enabled. If you used the Test button, click Test again to verify

The exact trust process varies by OPC-UA server software (Kepware, Prosys, Unified Automation, Siemens, etc.). Refer to your server's documentation for details on managing trusted client certificates.

ProtocolsDevice Introduction