Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
How to create a user certificate for user auth using OpenSSL
February 26, 2021
13:06, EET
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline

Hi,

how can I create a user certificate for user auth using OpenSSL? (and which can be used in the Java Client SDK)

I found some how to’s on the internet (either on the unified automation page or in some other forums), but none of them seem to work with the Prosys SDK.

I like to connect from the Prosys OpcUa Browser to the Prosys OpcUa Simulation Server using a user certificate for authentication.

A) The first attempt with OpenSSL was following:

1) openssl req -x509 -newkey rsa:4096 -keyout myUserCert_key.pem -out myUserCert.pem -days 7200
2) openssl x509 -in myUserCert.pem -outform der -out myUserCert.der

So I have following files:
myUserCert.der
myUserCert.pem
myUserCert_key.pem

In the User Authentication option of the Prosys Browser I set myUserCert.der for the Certificate (Button Examine Certifacte shows the correct contents) and I use the myUserCert_key.pem for the Private Key.
The User Authentication asks for the Private Key Password (I choosed ‘pass’ when I created the key using OpenSSL), but it seems, the the Prosys Browser does not accept it, because the Password Dialog pops up again and again.

B) The second attempt was following:

1) openssl req -x509 -days 365 -new -out cert.pem -key key.pem
2) openssl x509 -in cert.pem -outform der -out cert.der

This open SSL command does not ask for a password of the private key – so I expect that the password is not set here.

I get following files:
cert.der
cert.pem
key.pem

and use the cert.der for the Certificate and and key.pem for the private key – the password dialogs pops up which I confirm without entering a password.

When I click the Connect Button in the Prosys Browser there is a message ‘Could not connect to server. Failed to activate session’.

I also checked following folder of the simulation server:
C:\Users\myUsername\.prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA\certs
C:\Users\myUsername\.prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA
ejected
there are no files in this folders.

Event if I copy the files myUserCert.der & cert.der in the USERS_PKI certs folder, nothing changes.

Somehow I guess my creation of the user certificates using OpenSSL is somehow wrong or some option is missing.

Can you give me I guide how to create a valid user certifcate using OpenSSL which can be used to connect from the Prosys Browser to the Prosys Simulation Server?

Thanl you!

February 26, 2021
15:17, EET
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 346
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline

Hello,

In general, you can take a look at the Browser’s own certificate and generate a similar certificate to be used as a user certificate. In fact, you can try using Browser’s certificate as user certificate. Its password is opcua.

I don’t know how to use Open SSL so I can only advice you on how the output certificate should look like. To match the certificate used by Browser, you will need to add the following extensions to your certificate:

– Key usage with the following flags: Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment, Certificate Signing, you can experiment with other combinations but this one works for sure

– Enhanced Key Usage with Server Authentication (1.3.6.1.5.5.7.3.1) and Client Authentication (1.3.6.1.5.5.7.3.2) (I think our applications require both of these, but you can also try without this extension)

– Subject Alternative Name with URL and DNS Name might be required, but I’m not certain.

Also, Subject Type of Basic Constraints should be End Entity, though I’m not 100% certain of this either.

February 26, 2021
16:57, EET
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline

Hi,

thanks for your reply.

Basically I know the requirements for the certificate – I also used the prosys browser certificate as a user certificate and could authenticate.

>Subject Alternative Name with URL and DNS Name might be required, but I’m not certain.
SAN is not needed for the user certificate – I already created user certificates in a key store using the java keytool and could use it successfully to connect with the SDK to the simulation server

But I’m still struggling by creating a .der and .pem file using OpenSSL which works with the SDK / Browser to connet to the simulation server.

March 1, 2021
13:08, EET
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 346
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline

Hello,

I’ve been testing generating user certificates with OpenSSL and I’ve figured out a process that works.

First of all, you will need to generate the private key in RSA format as Browser doesn’t support other types of private keys at the moment. You can generate an RSA private key by using “openssl genrsa” command.

You can add extensions to certificates in OpenSSL by specifying them in a configuration file. See https://www.phcomp.co.uk/Tutorials/Web-Technologies/Understanding-and-generating-OpenSSL.cnf-files.html for an example of configuration file. You will need to add “-extensions” parameter to your “openssl req” command to specify which set of extensions to load from the configuration file. In the previously linked example, this would be “v3_req”.

Finally, use “openssl x509” command to generate the certificate in DER format.

When your configuration file is saved as “openssl.cnf” and you want to use extensions specified in section “v3_req”, you would use the following commands.

openssl genrsa -out myUserCert_key.pem
openssl req -x509 -config .\openssl.cnf -key myUserCert_key.pem -outform PEM -out myUserCert.pem -days 7200 -extensions v3_req
openssl x509 -in myUserCert.pem -outform der -out myUserCert.der

You will need to use myUserCert_key.pem in Browser instead of myUserCert.pem. The configuration in the linked example will generate a certificate that works with Browser and Simulation Server without changing anything in the configuration file, but you might want to use your information instead of example.com etc.

Let me know if you are able to generate a key pair with these instructions and use it connect to Simulation Server.

March 1, 2021
13:52, EET
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline

Hi,
thank you! That’s great – I will give it a try an report if it worked for me.

@Matti – with your link to the tutorial I was able to create a working certificate and priv key with OpenSSL which can be used in the Prosys Broswer and the Simulation Server.

Next step for me will be to check if I can get a working one without the need of the cnf file – so to create it just with OpenSSL command line parameters.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
22 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 735

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1523

Posts: 6449

Newest Members:

rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism, biancacraft16

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1