Please consider registering

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —

— Match —

— Forum Options —

Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Certificate key usage
January 26, 2024
10:53, EET
Forum Posts: 5
Member Since:
January 26, 2024
sp_UserOfflineSmall Offline

I’ve generated a certificate using openssl:
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout SAP_2048.pem -out SAP_2048.der -addext “extendedKeyUsage = clientAuth” -addext “subjectAltName = URI:urn:trafikforvaltningen:SAP”
But get java.io.IOException: toDerInputStream rejects tag type 45 when starting the server.

If i add
-addext “keyUsage = digitalSignature,nonRepudiation”
it works but our organisation CA don’t want to generate it with thise keys as it would give the system possibility to access other systems.

Is there a way to get it to work without digitalSignature,nonRepudiation by adding something in our code or config?

January 26, 2024
11:56, EET
Bjarne Boström
Forum Posts: 994
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Are you making an ApplicationInstanceCertificate or a user-authentication certificate? You mention “starting the server” so most likely ApplicationInstanceCertificate (though you mention ‘clientAuth’, but one would use ‘serverAuth’ for server so it is a bit confusing, or well the spec says it should also include ‘clientAuth’, but the ‘serverAuth’ is mandatory).

I’m going to assume ApplicationInstanceCertificate, as user-auth via certs is very rare.

In short, the certificate without the flags would be kinda useless. Note that you need more than those 2 for it to be a proper OPC UA ApplicationInstanceCertificate. Please see https://reference.opcfoundation.org/Core/Part6/v105/docs/6.2.2. “For RSA keys, the keyUsage shall include digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment”. Then from https://datatracker.ietf.org/doc/html/rfc5280#section-

“The digitalSignature bit is asserted when the subject public key is used for verifying digital signatures …”
“The keyEncipherment bit is asserted when the subject public key is
used for enciphering private or secret keys, i.e., for key
transport. For example, this bit shall be set when an RSA public
key is to be used for encrypting a symmetric content-decryption
key or an asymmetric private key.”
For nonRepudiation see

and finally
“The dataEncipherment bit is asserted when the subject public key
is used for directly enciphering raw user data without the use of
an intermediate symmetric cipher.”

Without the flags, it would not be possible to do what OPC UA needs the cert for. It is used to sign and encrypt the OpenSecureChannel message exchange and forming a temporary symmetric key for the rest of the messages.

In general (at least OPC UA wise) the whole point of using CA-signed certs is that one doesn’t need to individually trust each applications certificate (that normally would be a self-signed one). You would typically have like one CA (cert) per factory floor (or equivalent), use that to sign all certs of clients and servers and then have them trust that CA.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
17 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 142

pramanj: 86

Francesco Zambon: 83

rocket science: 82

Ibrahim: 76

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 704

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1482

Posts: 6316

Newest Members:

samui, TommyDab, wross, Jeremyknock, Pedromon, DonaldEdism, Miguelplese, Scotanine, katesalas95, Petertum

Moderators: Jouni Aro: 1015, Pyry: 1, Petri: 0, Bjarne Boström: 994, Jimmy Ni: 26, Matti Siponen: 330, Lusetti: 0

Administrators: admin: 1