Best practices for optimizing OPC UA security in a DeltaV system

Emerson recommends the following to make your OPC UA applications as secure as possible:

Use Certificate Signing Request (CSR) to request a CA-signed certificate from the Certification Authority (CA) rather than using .pfx files. This is a manual procedure.
Use Sign and Encrypt security mode.
Use Basic256Sha256 security policy.
Do not use Anonymous logon.
Only export certificates (do not export .pfx files).
If you are supporting .pfx files and CA signed certificates, use a local CA. This is a manual procedure.

Note

The DeltaV Explorer user interface does not provide a way to generate a CSR or import a CA-signed (*.der or *.cer) certificate in order to couple it with a private key. The DeltaV Explorer user interface does not provide a way to import a CA chain, CRLs or a CA-signed .pfx certificate.

Contact DeltaV Technical Support for more information.