OPC UA® security compliance list 

Note: If the Security Profile is activated, you must always use sign & encrypt.

OPC UA® Server

Profile: Embedded 2017 UA Server

Facets:

  • Global Certificate Management Server Facet
  • User Token - User Name Password Server Facet

SecurityPolicy:

Availableas sign and as sign & encrypt:

  • Basic256Sha256
  • Aes128-Sha256-RsaOaep
  • Aes256-Sha256-RsaPss

 

OPC UA® Client

Profile: Minimum UA Client Profile

SecurityPolicy:

Availableas sign and as sign & encrypt:

  • Basic256Sha256
  • Aes128-Sha256-RsaOaep
  • Aes256-Sha256-RsaPss

 

OpenSSL

Note: The OPC UA client and server use the OpenSSL library to validate X.509 certificates using the OpenSSL flag X509_V_FLAG_X509_STRICT. As firmware 2024.0 LTS is updated to OpenSSL 3.0, the X.509 certificate validation became more strict, especially for non self-signed certificates. This may cause the server to return the error BadSecurityChecksFailed on client connection attempts. Make sure that, according to OPC UA Part 6, client issuer as well as client application X.509 certificates are conform to RFC 5280, especially to the sections listed below. The same applies for user-managed server certificates. 
  • 4.1.1.2 signatureAlgorithm
  • 4.1.2.6 Subject
  • 4.2.1.1 Authority Key Identifier
  • 4.2.1.2 Subject Key Identifier
  • 4.2.1.3 Key Usage
  • 4.2.1.6 Subject Alternative Name
  • 4.2.1.9 Basic Constraints
 

 

 

• Published/reviewed: 2024-12-09 • Revision 015 •