Application Certificate
OPC UA applications use Certificates to store the Public Keys needed for Asymmetric Cryptography operations. All Security Protocols use X.509 v3 Certificates (see X.509 v3) encoded using the DER format (see X690). The Server Certificate and Client Certificate are used in the abstract OpenSecureChannel service.
Note
See the tutorial An Introduction to Public Key Infrastructure if you are new to X.509 certificate management.
The OPU UA Application Instance certificate must include URI in the SubjectAltNames along with a hostname. The Application URI is used during the opening of a secure channel and checked to ensure it is present in the application certificate. Without this, the certificate will be rejected.
Creating certificate with xlua
The following shows how to create a certificate programmatically:
local ua = require("opcua.api") local hostname = "localhost" local applicationUri = "urn:localhost:RealTimeLogic" print("generating private key") local basic128rsa15Cert, basic128rsa15Key = ua.Init.genServerCertificate(hostname, applicationUri) print(basic128rsa15Key) print(basic128rsa15Cert)
The next command will execute the script that will print out private kay and self signed certificate:
xlua create_certificate_basic128rsa15.lua
Creating OpenSSL certificate
To create an SSL certificate, you need to create a configuration file. The uniqueness of OPCUA certificate creation is that SubjectAltNames contains a URI extension specifying the Application URI, which clients use to validate the peer application.
[req] default_bits = 2048 prompt = no default_md = sha256 encrypt_key = no x509_extensions = v3_req distinguished_name = dn [dn] C = US ST = Washington L = NY O = RealTimeLogic emailAddress = example@email.com CN = localhost [v3_req] subjectAltName = URI:urn:localhost:RealTimeLogic [alt_names] DNS.1 = localhost
The following OpenSSL command will generate an OPCUA Application Certificate that can be used with the basic128rsa15 security policy.
openssl req -config basic128rsa15.conf -newkey rsa -x509 -days 365 -keyout basic128rsa15_server.key -out basic128rsa15_client.pem