Certificate and Private key OPC UA telegraf plugin

Does anyone have any experience integrating telegrafs OPC pluggin and FactoryTalk linx gateway? I’ve successfully did a test pull of data with security policy set to none, but I can’t figure out the private key path when I apply a security policy. Here are my steps:

  • i first verified the connection was working with Matrikon OPC UA explore by making a connection and trusting the incoming certificate, everything worked
  • Then I made a test connection with telegraf with security_policy set to Basic256Sha256 and security mode set to SignAndEncrypt. This produced an untrusted certificate in FactoryTalk Linx Gateway configuration UI. I trusted the new cert , as I did with the Matrikon connection, but when I tried the test the connection it failed with the same error and there was a new untrusted certificate in FT linx gateway.
    -Next I tried to hard code the path to the trusted certificate in the OPC configuration file and retest the connection, but now it’s saying I need a private key.
    Any advice or general direction would be greatly appreciated?

Hi @blharvey,
Welcome to the community :slight_smile:! So hopefully I can help break down a little about what’s happening here:

  1. Self-generated certificates: If you do not specify a certificate path in the Telegraf config then Telegraf will generate its own. So what you did was correct. However, there is a small snag that I have highlighted in a ticket. If the Telegraf service stops running on its next boot it will generate a new certificate to be trusted in the store. Not great I know but something we will be working on.
  2. Using your own certificates. The path you have tried next is the one we recommend as it’s far more secure than auto-generated certificates. You can usually generate one via SSL if you plan to self sign it. Something like:
openssl genrsa -out key.pem 2048
openssl req -x509 -days 365 -new -out cert.pem -key key.pem -config ssl.conf

Make sure to edit the conf file first

[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage= serverAuth, clientAuth
nsComment = "OpenSSL Generated Certificat"
subjectAltName = URI:urn:example.org:FreeOpcUa:python-opcua,IP: <CHANGE>

[ subject ]
countryName = DE
stateOrProvinceName = HE
localityName = HE
organizationName = <CHANGE>
commonName = <CHANGE>

This example was taken from Andreas: SecurePythonOpcUaClient/x509v3 at master · AndreasHeine/SecurePythonOpcUaClient · GitHub


Thanks for the help Jay, the solution worked perfectly.

No worries at all @blharvey. I am glad its up and running :slight_smile:

I have followed the instructions you gave but it doesn’t seem to work with my Beckhoff PLC.
The Beckhoff people told me I needed to also install the server certificate on my client, which I did but I still get the same error over and over with telegraf answering
E! [inputs.opcua] Error in plugin: error in Client Connection: EOF
and my certificate reappearing in the rejected folder even though it already exists in the ‘trusted’ folder.

Has anyone ever successfully used telegraf with the OPC_UA server of TwinCAT 3.1 ?

HI @Timur,
Welcome to the community! Can you provide your Telegraf config? :slight_smile:

Hello @Jay_Clifford
Here it is:

  name = "opcua"
  endpoint = "opc.tcp://<MyPLC_IP>:4840"
  certificate = "/home/<my_user>/OPC_UA/cert.pem"
  private_key = "/home/<my_user>/OPC_UA/key.pem"

With these settings (None, None, Anonymous) I am able to connect with UaExpert from a different Windows machine, so I believe the server is properly configured. Can it be that I am failing at installing the certificate from the PLC?

Here is how I installed the certificate from the PLC.
I got Beckhoff_OpcUaServer.der from TwinCAT/Functions/TF6100-OPC-UA/Win32/Server/PKI/CA/own/certs and copy it to my client Linux machine. Then I ran:

sudo apt-get install -y ca-certificates
sudo openssl x509 -inform der -outform pem -in Beckhoff_OpcUaServer.der -out Beckhoff_OpcUaServer.crt
sudo cp Beckhoff_OpcUaServer.crt /usr/local/share/ca-certificates
sudo update-ca-certificates

Or have I done something wrong with the subjectAltName field of ssl.conf (I only changed the IP address)

I have tried connecting with my OPC UA server using UAexpert from the same computer where telegraf is installed. I could connect with None/None/Anonymous (and other endpoints as well) and install the certificate from the OPC UA server. Still no success with telegraf.


I can’t get this work on KepserverEX opcua server, I keep getting errors below, even though I used empty path for the cert and key parameters,
xiaoan@ubuntuserver:/etc/telegraf$ sudo telegraf --config /etc/telegraf/opcua_telegraf.conf
2022-04-15T16:38:15Z I! Starting Telegraf 1.22.1
2022-04-15T16:38:15Z I! Loaded inputs: opcua
2022-04-15T16:38:15Z I! Loaded aggregators:
2022-04-15T16:38:15Z I! Loaded processors:
2022-04-15T16:38:15Z I! Loaded outputs: influxdb_v2
2022-04-15T16:38:15Z I! Tags enabled: host=ubuntuserver
2022-04-15T16:38:15Z I! [agent] Config: Interval:10s, Quiet:false, Hostname:“ubuntuserver”, Flush Interval:10s
2022-04-15T16:38:15Z E! [telegraf] Error running agent: could not initialize input inputs.opcua: error validating input: server does not support an endpoint with security : Profile Reporting Links , MessageSecurityModeSignAndEncrypt

Hi @Timur,
Extremely sorry for the late reply to this one. Sometimes notifications are lost to the abyss. When setting both:


This expects that no certifications are in effect. If this is the case however then Telegraf should be free to connect directly to the PLC’s OPCUA server without a certification check. Do you have the logs Telegraf is generating against this?

Hi @foreignmouse,
Welcome to the community, can you send me along with your Telegraf config aswell? The error is interesting as it’s saying your OPC UA server does not support the security mode “SignAndEncrypt”. Are you sure your OPC UA server is configured to support this mode of connection?


Hi Jay, yes, I’m pretty sure I set up Kepserver OPCUA server in Sign and Encrypt mode (as well as disable anoymous login), and under this mode, in opcua.input plugin, I left security_policy as “auto” and security_mode as “auto”, if I set parameter auth_method = “Certificate”, it would never really connect to remote OPCUA server, however, if I set auth_method = “UserName”, telegraf plugin can communicate with OPCUA server, and I just approve the telegraf certificate in trusted client list, it would work. I’m not sure I did correctly in the plugin parameters setting. KeperverEX OPCUA requires exchange cert between OPCUA server and clients, this can be done one way with telegraf, as I can’t let telegraf to trust kepserverOPCUA server’s cert in advance before communicating.

this process works perfect between KepserverEX OPCUA client and server suite