Skip to content

Connecting To Kepware OPCUA Server

Fuuz Wiki Import edited this page Jun 7, 2026 · 2 revisions

Connecting To Kepware OPCUA Server

Article Type: How-To Audience: Developers, App Admins Module: How To

This guide walks through enabling the OPC UA server in Kepware and connecting to it from the Edge Gateway using the OPCUA Client driver, including common troubleshooting steps for certificates and OpenSSL.

Connector type: Physical device connector — requires the OPCUA Client device driver and is added as a device connection on the Edge Gateway.

1. Configuring Kepware

Enable OPC UA for a Project

  1. In the configuration application, go to the Project pane and right-click the project you wish to enable OPC UA on.
  2. Select Properties.
  3. Under Property Groups, select OPC UA.
  4. On the right side, change the Enable property to true.

Configuration Application showing the projects pane

Property editor showing OPC UA

OPC UA Configuration App

  1. Open the Kepware Administration application by right-clicking the Kepware icon in the system tray.
  2. Select OPC UA Configuration.
  3. This opens the OPC UA Configuration Manager, where you can:
    • Enable/disable endpoints
    • Configure security policies
    • Configure port numbers
    • Trust client certificates

Kepware icon in system tray

Kepware OPC UA Configuration Manager

2. Configuring the Edge Gateway

  1. Install the Edge Gateway.
  2. Select the Plugins tab on the left side of the Edge Gateway.
  3. Select the OPCUA Client driver.
  4. Press the download button.
  5. Create and configure a new device.

Plugins tab

OPCUA Client driver download

3. Troubleshooting

OPCUA device won't show up in the gateway admin site on the local server and keeps throwing a redux error

OpenSSL is required for the OPCUA device to generate certificates. Even if the OPC UA server is configured to have no security, the gateway device will still need to generate certificates to act as its identity when talking to the server.

The gateway attempts to download OpenSSL at the time of device creation. If that download is blocked, the gateway will get hung up when trying to first initialize the device, as it has no way to create the certificates it uses to identify itself to the OPC UA server.

If you have an empty OpenSSL folder after attempting to create an OPCUA Client device, you will need to download the OpenSSL files and place them in the Edge Gateway installation folder, e.g. C:\Program Files\Fuuz Edge Gateway\OpenSSL.

The files can be downloaded at https://indy.fulgan.com/SSL/openssl-1.0.2t-x64_86-win64.zip.

A populated OpenSSL folder

Expired Certificates

OPC UA uses certificates as a means for clients and the server to state their identity to each other.

The OPCUA Edge Gateway driver will automatically generate its own identity certificate as well as pull Kepware's identity certificate. By default these are all stored at C:\Fuuz Edge Gateway\opcua\<deviceId>\. This location can be changed in the device settings if you do not have access to write files to the default location.

Device certificates folder

Kepware Certificate

You can view the expiration date of the Kepware certificate in the OPC UA Configuration Manager by going to the Instance Certificates tab and clicking View server certificate…. From this tab you can Reissue a new certificate if your current certificate is expired.

This can have implications for connections that are using the old certificate.

When the Kepware certificate is reissued, you will need to delete the certificate out of the trusted folder in the device's certificates folder (path mentioned above). This causes the device to re-pull the certificate from the server in its device configuration.

If you delete the entire folder, and not just the trusted folder inside of it, the device will recreate the folder, pull the certificate from the server, and reissue new certificates for itself. This requires that trust be re-granted to the device in Kepware.

Fuuz Device Certificate

To view the device certificates, you will need to use a tool like OpenSSL to decode the x509 PEM data in either the default or the overridden location for the device certificates. Running the command below in the folder of the certificate displays all of the certificate data:

openssl x509 -in name_of_cert.pem -noout -text

To generate new certificates for the device, delete the own folder out of the device's certificate folder. This forces the device to generate new certificates for itself and send them to the server. Because these are new certificates from the device, Kepware will see this as a new device, and you will need to re-grant trust in the OPC UA Configuration Manager on the Trusted Clients tab.

Note: By default, Kepware certificates have a lifetime of 3 years.

See Also


Source: support.fuuz.com

🏠 Home

Getting Started (14)
Training Guides (52)

Applications

Access & Users

Data Models & Schema

Screens

Weather Lookup Series — guided 3-part build

Data Flows & Integrations

Data, Reporting & Monitoring

Enterprise & Organizations

Platform Concepts & Architecture (10)
Screens & Application Design (17)
Data Models & Schema (8)
Data Flows & Scripting (51)

Designing Flows

Data Flow Nodes

JSONata Reference

Scripting

Integrations & Connectors (30)

General & iPaaS

Plex

EDI

IIoT & Edge Gateway (18)

Physical Device Connectors

Edge Data Connectors

Reporting, Documents & Dashboards (8)
Administration & Access Control (27)
Data Management (8)
Accelerators, Templates & Packages (8)
Design Standards (1)
How-To Guides (8)
FAQ & Troubleshooting (1)
Release Notes (117)

2026

2025

2024

2023

2022

2021

2020

Policies & Company (6)

Clone this wiki locally