We’re experiencing a critical issue with our OPC UA connector after a recent PLC firmware upgrade (Siemens S7-1500 to v2.9.3). The connector was working perfectly for automated quality checks, but now fails with Bad_NoCommunication errors when trying to read quality inspection signals.
The error appears specifically on the quality measurement nodes:
StatusCode: Bad_NoCommunication
Endpoint: opc.tcp://plc-quality-01:4840
Node: ns=3;s="Quality.InspectionResult"
Our certificate trust configuration hasn’t changed, and the OPC UA endpoint security policy is set to SignAndEncrypt. The PLC vendor mentioned changes to certificate handling in the new firmware, but we’re not sure how to reconfigure the connector to accommodate this.
This is blocking our entire quality workflow - we can’t automatically record inspection results anymore. Has anyone dealt with OPC UA certificate issues after PLC firmware updates? What’s the proper way to verify certificate trust and security policy compatibility?
Don’t forget to verify the security policy compatibility after importing the certificate. The new Siemens firmware might have changed the supported security policies. Check the PLC’s OPC UA server configuration to see which policies are enabled - you might need to adjust from SignAndEncrypt to Basic256Sha256 or Aes128Sha256RsaOaep depending on what the firmware supports now.
Adding to the previous responses - I had the exact same issue with Siemens v2.9.x firmware updates last quarter. Here’s the complete resolution process that addresses all three aspects of your problem:
1. OPC UA Endpoint Security Policy Alignment:
The v2.9.3 firmware defaults to Basic256Sha256 security policy and disables older policies. You need to verify your Smart Factory connector is configured to match:
<SecurityPolicy>Basic256Sha256</SecurityPolicy>
<MessageSecurityMode>SignAndEncrypt</MessageSecurityMode>
Update your OPC UA connection configuration file (usually in config/opcua/connections/) to explicitly set Basic256Sha256.
2. PLC Firmware Compatibility - Certificate Regeneration:
As others mentioned, the firmware upgrade regenerated the PLC’s application certificate. Export the new certificate from TIA Portal:
- Navigate to PLC Properties > OPC UA Server > Server Interfaces
- Export the application certificate (save as .der file)
- Import into Smart Factory: System Configuration > OPC UA Connector > Trusted Certificates
- Click “Import Certificate” and select the exported .der file
3. Certificate Trust Configuration - Complete Chain:
This is the part most people miss - you need bidirectional trust. The PLC also needs to trust Smart Factory’s client certificate:
- Export Smart Factory’s OPC UA client certificate from Certificate Management
- Import it into the PLC’s trusted certificates list via TIA Portal
- Under OPC UA Server security settings, ensure “Reject untrusted certificates” is properly configured
After completing all three steps, restart both the OPC UA connector service and the PLC’s OPC UA server. Test the connection with a simple read operation before enabling the full quality signal collection.
The Bad_NoCommunication error should resolve once the bidirectional certificate trust is established and the security policy matches. If you still see issues, enable detailed logging in the OPC UA connector (set log level to DEBUG) to see exactly which part of the handshake is failing.
One final tip: document your security policy and certificate configuration in a change management system. Firmware upgrades will continue to happen, and having this documented will save hours of troubleshooting next time.
The Siemens v2.9.3 firmware changed how it handles security policies. It now enforces stricter certificate validation and deprecated some older cipher suites. Your SignAndEncrypt policy is fine, but you need to verify the certificate chain is complete. Also check if your OPC UA connector supports the new security algorithms - older connector versions might not be compatible. What version of the OPC UA Connector module are you running?