Log In
Register
Forum
Topic RSS
10:53, EET
January 26, 2024
Offline
I’ve generated a certificate using openssl:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout SAP_2048.pem -out SAP_2048.der -addext “extendedKeyUsage = clientAuth” -addext “subjectAltName = URI:urn:trafikforvaltningen:SAP”
But get java.io.IOException: toDerInputStream rejects tag type 45 when starting the server.
If i add
-addext “keyUsage = digitalSignature,nonRepudiation”
it works but our organisation CA don’t want to generate it with thise keys as it would give the system possibility to access other systems.
Is there a way to get it to work without digitalSignature,nonRepudiation by adding something in our code or config?
11:56, EET
April 3, 2012
Offline
Are you making an ApplicationInstanceCertificate or a user-authentication certificate? You mention “starting the server” so most likely ApplicationInstanceCertificate (though you mention ‘clientAuth’, but one would use ‘serverAuth’ for server so it is a bit confusing, or well the spec says it should also include ‘clientAuth’, but the ‘serverAuth’ is mandatory).
I’m going to assume ApplicationInstanceCertificate, as user-auth via certs is very rare.
In short, the certificate without the flags would be kinda useless. Note that you need more than those 2 for it to be a proper OPC UA ApplicationInstanceCertificate. Please see https://reference.opcfoundation.org/Core/Part6/v105/docs/6.2.2. “For RSA keys, the keyUsage shall include digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment”. Then from https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3
“The digitalSignature bit is asserted when the subject public key is used for verifying digital signatures …”
“The keyEncipherment bit is asserted when the subject public key is
used for enciphering private or secret keys, i.e., for key
transport. For example, this bit shall be set when an RSA public
key is to be used for encrypting a symmetric content-decryption
key or an asymmetric private key.”
For nonRepudiation see
https://stackoverflow.com/questions/3468127/x509-whats-the-difference-between-digital-signature-and-non-repudiation
and finally
“The dataEncipherment bit is asserted when the subject public key
is used for directly enciphering raw user data without the use of
an intermediate symmetric cipher.”
Without the flags, it would not be possible to do what OPC UA needs the cert for. It is used to sign and encrypt the OpenSecureChannel message exchange and forming a temporary symmetric key for the rest of the messages.
In general (at least OPC UA wise) the whole point of using CA-signed certs is that one doesn’t need to individually trust each applications certificate (that normally would be a self-signed one). You would typically have like one CA (cert) per factory floor (or equivalent), use that to sign all certs of clients and servers and then have them trust that CA.
Most Users Ever Online: 1919
Currently Online:
33 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 726
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1529
Posts: 6471
Newest Members:
gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7, franciscagrimwad, adult_galleryModerators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0
Administrators: admin: 1
