Application certificate

OPC UA applications use Certificates to store the Public Keys needed for Asymmetric Cryptography operations. All Security Protocols use X.509 v3 Certificates (see X.509 v3) encoded using the DER format (see X690). The Server Certificate and Client Certificate are used in the abstract OpenSecureChannel service.

OPU UA Application Instance certificate must include URI in the SubjectAltNames along with host names. Application URI is used during opening secure channel and is checked that it present in the application certificate. Without this the certificate will be rejected.

Creating certificate with xlua

Create script create_certificate_basic128rsa15.lua with the next content:

local hostname = "localhost"
local applicationUri = "urn:localhost:RealTimeLogic"
local applocationName = "Realtimelogic OPCUA"

local basic128rsa15Config = {
     bits=2048 -- Min size 1024

print("generating private key")
local basic128rsa15Key = compat.create.key(basic128rsa15Config)

local basic128rsa15Dn = {commonname = hostname}
local alternativeNames = hostname..";URI:"..applicationUri
local certtype = {"SSL_CLIENT", "SSL_SERVER"}
local keyusage = {

print("creating Certificate Signing Request")
local hashid = "sha256"
local basic128rsa15Csr = compat.create.csr(basic128rsa15Key, basic128rsa15Dn, alternativeNames, certtype, keyusage, hashid)
local validFrom=compat.datetime("NOW")
validFrom = validFrom - {days=1}
validFrom = validFrom:date(true)

local validTo=compat.datetime("NOW")
validTo = validTo + {days=3650}
validTo = validTo:date(true)
local serial = 123456

print("Creating self-signed certificate")
local basic128rsa15Cert = compat.create.certificate(basic128rsa15Csr, basic128rsa15Key, validFrom, validTo, serial)


Full source

The next command will execute the script that will print out private kay and self signed certificate:

xlua create_certificate_basic128rsa15.lua

Creating OpenSSL certificate

To create an SSL certificate you need to create a configuration file. The most interesting part is that SubjectAltNames cinatins URI extension that specifies Application URI is used by client and to check remote application.

default_bits = 2048
prompt = no
default_md = sha256
encrypt_key = no
x509_extensions = v3_req
distinguished_name = dn

C = US
ST = Washington
L = NY
O = RealTimeLogic
emailAddress =
CN = localhost

subjectAltName = URI:urn:localhost:RealTimeLogic

DNS.1 = localhost

The folloiwng command will generate OPCUA Application Certificate that can be used with basic128rsa15 security policy.

openssl req -config basic128rsa15.conf -newkey rsa -x509 -days 365 -keyout basic128rsa15_server.key -out basic128rsa15_client.pem