Application Certificate ======================= OPC UA applications use Certificates to store the Public Keys needed for Asymmetric Cryptography operations. All Security Protocols use X.509 v3 Certificates (see X.509 v3) encoded using the DER format (see X690). The Server Certificate and Client Certificate are used in the abstract OpenSecureChannel service. .. note:: See the tutorial `An Introduction to Public Key Infrastructure `_ if you are new to X.509 certificate management. The OPU UA Application Instance certificate **must include URI** in the SubjectAltNames along with a hostname. The Application URI is used during the opening of a secure channel and checked to ensure it is present in the application certificate. Without this, the certificate will be rejected. Creating certificate with xlua ------------------------------ The following shows how to create a certificate programmatically: .. literalinclude:: examples/create_certificate_basic128rsa15.lua :language: lua `Full source <_static/create_certificate_basic128rsa15.lua>`__ The next command will execute the script that will print out private kay and self signed certificate: .. code-block:: bash xlua create_certificate_basic128rsa15.lua Creating OpenSSL certificate ---------------------------- To create an SSL certificate, you need to create a configuration file. The uniqueness of OPCUA certificate creation is that `SubjectAltNames` contains a URI extension specifying the Application URI, which clients use to validate the peer application. .. code-block:: ini [req] default_bits = 2048 prompt = no default_md = sha256 encrypt_key = no x509_extensions = v3_req distinguished_name = dn [dn] C = US ST = Washington L = NY O = RealTimeLogic emailAddress = example@email.com CN = localhost [v3_req] subjectAltName = URI:urn:localhost:RealTimeLogic [alt_names] DNS.1 = localhost The following OpenSSL command will generate an OPCUA Application Certificate that can be used with the basic128rsa15 security policy. .. code-block:: bash openssl req -config basic128rsa15.conf -newkey rsa -x509 -days 365 -keyout basic128rsa15_server.key -out basic128rsa15_client.pem