Application certificate ======================= OPC UA applications use Certificates to store the Public Keys needed for Asymmetric Cryptography operations. All Security Protocols use X.509 v3 Certificates (see X.509 v3) encoded using the DER format (see X690). The Server Certificate and Client Certificate are used in the abstract OpenSecureChannel service. OPU UA Application Instance certificate **must include URI** in the SubjectAltNames along with host names. Application URI is used during opening secure channel and is checked that it present in the application certificate. Without this the certificate will be rejected. Creating certificate with xlua ------------------------------ Create script create_certificate_basic128rsa15.lua with the next content: .. literalinclude:: examples/create_certificate_basic128rsa15.lua :language: lua `Full source <_static/create_certificate_basic128rsa15.lua>`__ The next command will execute the script that will print out private kay and self signed certificate: .. code-block:: bash xlua create_certificate_basic128rsa15.lua Creating OpenSSL certificate ---------------------------- To create an SSL certificate you need to create a configuration file. The most interesting part is that SubjectAltNames cinatins URI extension that specifies Application URI is used by client and to check remote application. .. code-block:: ini [req] default_bits = 2048 prompt = no default_md = sha256 encrypt_key = no x509_extensions = v3_req distinguished_name = dn [dn] C = US ST = Washington L = NY O = RealTimeLogic emailAddress = example@email.com CN = localhost [v3_req] subjectAltName = URI:urn:localhost:RealTimeLogic [alt_names] DNS.1 = localhost The folloiwng command will generate OPCUA Application Certificate that can be used with basic128rsa15 security policy. .. code-block:: bash openssl req -config basic128rsa15.conf -newkey rsa -x509 -days 365 -keyout basic128rsa15_server.key -out basic128rsa15_client.pem