Connecting WinCC OPCUA Server using sign and encryption techniques using free OPCUA Python Client Code & Basic256Sha256

Question

**I am trying to connect a WinCC OPCUA Server enabled with Basic256Sha256 with Sign&Encrpyt.

How to generate / get the .der file on / from WinCC and the .pem file from the WinCC ?

WinCC OPCUA Server is deployed on AWS Windows EC2 Instance.**

What will be the client connection code that will be used to connect to the WinCC OPC UA Server enabled with Basic256Sha256 with Sign&Encrpyt. ?

I need the .der file and the .pem file for my Python OPCUA Client .

How to generate the .der file and the .pem file ?

After the files are generated do i need to keep the files on WinCC OPC UA Server and the OPC UA Client?

Code 1:

 client = Client("opc.tcp://localhost:4840/freeopcua/server/")
    #client = Client("opc.tcp://localhost:53530/OPCUA/SimulationServer/")
    client.set_security_string("Basic128rsa15 ,SignAndEncrypt,certificate-example.der,private-key- 
     example.pem")
    client.application_uri = "urn:example.org:FreeOpcUa:python-opcua"
    client.secure_channel_timeout = 10000
    client.session_timeout = 10000

Code 2:

 logging.basicConfig(level=logging.WARN)
 client = Client("opc.tcp://localhost:53530/OPCUA/SimulationServer/")
 client.load_client_certificate("server_cert.pem")
 client.load_private_key("mykey.pem")

Code 3:

logging.basicConfig(level=logging.DEBUG) client = Client("opc.tcp://localhost:53530/OPCUA/SimulationServer/") client.set_security_string("Basic128rsa15 ,Sign,certificate-example.der,private-key-example.pem")

Answer 1

Just guessing the version of WinCC(assuming 7.X) the .der file:

C:\Program Files (x86)\Siemens\WinCC\opc\UAServer\PKI\CA\certs

You most manually move the rejected certificate of your python opc ua client using a file manager. The certificates used by the WINCC OPC UA server are stored in the settings in the "OpcUaServerWinCC.xml" configuration file:

C:\Program Files (x86)\Siemens\WinCC\opc\UAServer\OpcUaServerWinCC.xml

The project specific configuration file is stored in the WinCC project folder under:

\opc\UAServer"

Yes, the certificates must be available and valid att all times. Also, time synchronization is very important, due to security mechanisms.

The configuration of WinCC OPC UA can be found in your wincc installations help file, look for "Interfaces --> OPC - Open Connectivity --> WinCC OPC UA Server" and for the client "Communication--> OPC UA WinCC Channel"

Is this something that will get you started or are you not using wincc 7 ?