Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Real Certificate Security
March 21, 2017
10:53, EET
Avatar
kapsl
Member
Members
Forum Posts: 57
Member Since:
December 20, 2016
sp_UserOfflineSmall Offline

Hello,
we are currently evaluating, how to make the system really safe. But I’m struggling with the certificates…

I’m currently creating a self-signed certificate with ApplicationIdentity.loadOrCreateCertificate
but to get a “real” certificate, that is e.g. signed by a company wide known issuer we have to somehow transfer that certificate to the client/server and let the client/server know about this trusted issuer.
How can we achieve this?

There is some option about issuer certificate and private key. But I would never want the private key of the issuer in every small opc ua device???

Thanks,
lg Manuel

March 21, 2017
11:24, EET
Avatar
kapsl
Member
Members
Forum Posts: 57
Member Since:
December 20, 2016
sp_UserOfflineSmall Offline

And I have another issue:

I can’t get a connection over https running. I set up all the https certificate stuff but when I try to connect with UAExpert I get the error that:

The TLS certificate of server ‘…’ is already in UaExpert’s trust list but validation still fails. But I can’t find a reason why it fails? It is created with

KeyPair issuerCertificate = ApplicationIdentity.loadOrCreateIssuerCertificate(“ProsysSampleCA”, privatePath,
“opcua”, 3650, false);

String hostName = InetAddress.getLocalHost().getHostName();
identity.setHttpsCertificate(
ApplicationIdentity.loadOrCreateHttpsCertificate(appDescription, hostName, “opcua”, issuerCertificate, privatePath, true));

March 22, 2017
11:37, EET
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

You need to copy the CA certificate (the one that is signing your certificate) to the trusted (‘certs’) folder of your application.

For HTTPS to work, the apps like UaExpert need to trust the ProsysSampleCA certificate, as well. So copy that to UaExpert’s trusted certs folder.

March 22, 2017
11:38, EET
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

And as you mention, the private keys must never be copied between the applications.

March 22, 2017
15:23, EET
Avatar
kapsl
Member
Members
Forum Posts: 57
Member Since:
December 20, 2016
sp_UserOfflineSmall Offline

And where do I load or copy my own certificate? How can I tell the server to just load my certificate, that I created somewhere else and now using for the application?

Regading https:
I copied the ProsysSampleCA from the PKI folder to the ua Expert Issuers and TLS Issuers list (also shown within uaexpert on “Manage Certificates”) but i still get the same error.

lg Manu

March 22, 2017
19:22, EET
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

You have to replace the certificate and private key in the ‘private’ folder.

HTTPS implementations have been pending quite a while and the interoperability testing has not been finished. Also, it might be an issue that the Java implementation does not enable TLS 1.2 at the moment and UaExpert may have already reacted to the deprecation of TLS 1.0 and 1.1 in the latest OPC UA specifications – leaving no common TLS version available. So it is also possible that it just does not work. HTTPS in general is not a very solid option because of several practical issues, unfortunately.

March 27, 2017
10:36, EEST
Avatar
kapsl
Member
Members
Forum Posts: 57
Member Since:
December 20, 2016
sp_UserOfflineSmall Offline

Good Morning,
ok I managed to get my Application Certificate in through using the normal:
ApplicationIdentity.loadOrCreateCertificate(). When it has the same name as the Application, it is used. (Wouldn’t it be better to have here other methods for reading own certificates, this is somehow a bit difficult to understand…)

But now i ran into the problem, that this doesn’t work with the Issuer Certificate. I tried with ApplicationIdentity.loadOrCreateIssuerCertificate(). But this overwrites my copied in Issuer Certificate. I guess it awaits a private key for this certificate, but I don’t have any?!

Thanks,
lg Manu

March 27, 2017
15:02, EEST
Avatar
Heikki Tahvanainen
Member
Members
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hello,

The example applications in the SDK use self-signed certificates. In this case, you’re using certificates which are signed by a real company-wide CA. This means that you cannot take the code from the examples directly. For example, the ApplicationIdentity.loadOrCreateIssuerCertificate method is not needed in this situation.

Also, you don’t “have” to use the ApplicationIdentity.loadOrCreateCertificate method. For example, if you are using a Java Keystore, you can load an application instance certificate from the keystore with:

final ApplicationIdentity identity = new ApplicationIdentity(new File("C:\\<path to the keystore>\\.keystore"), "testalias", "keypass", "storepass", "JKS");

In your original question you mentioned: “I would never want the private key of the issuer in every small opc ua device?”

You are absolutely correct. Only the public key of the issuer certificate is distributed to every application/device. This is not OPC UA specific; this is how public key infrastructure works.

With the Java SDK and the default PkiFileBasedCertificateValidator, you can utilize CA certificates simply by placing the CA cert in the PKI\CA\certs folder.

Let us know if you have additional questions about creating and using the application instance certificates.

At the end, I would like to mention one more detail. If you create the certificates in some separate system which is not related to OPC UA, you should make sure that the used certificates specify information about ApplicationURI and hostnames. The hostnames part is provided as dns name or ip-address. This functionality is specified in the part 6 of the specification.

As an example, with Java Keytool you could specify this certificate extension with the “-ext” option:

keytool -genkey -alias testalias -storepass storepass -keypass keypass -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -storetype JKS -validity 3650 -dname "CN=SampleConsoleClient, O=SampleOrganization" -ext SAN=URI:"urn:<myhostname>:OPCUA:SampleConsoleClient",DNS:<myhostname>
March 27, 2017
16:27, EEST
Avatar
kapsl
Member
Members
Forum Posts: 57
Member Since:
December 20, 2016
sp_UserOfflineSmall Offline

Hi Heikki,
and thanks for the explanation. I use openssl for certificate creation. But when trying to load the certificate with

File appCert = new File(privatePathString, “server.cert.der”);
File appKey = new File(privatePathString, “server.key.pem”);

final ApplicationIdentity identity = new ApplicationIdentity(appCert, appKey, “”);

I get a not further explained NullPointerException when doing init()

lg

March 31, 2017
16:04, EEST
Avatar
Heikki Tahvanainen
Member
Members
Forum Posts: 402
Member Since:
April 17, 2013
sp_UserOfflineSmall Offline

Hello,

What is the NPE that you receive?

Probably not directly related to the null pointer, but please note that you need to set the application description with

identity.setApplicationDescription(appDescription);
April 3, 2017
15:54, EEST
Avatar
kapsl
Member
Members
Forum Posts: 57
Member Since:
December 20, 2016
sp_UserOfflineSmall Offline

Hi,
adding the application description solved the problem. Thanks!

December 14, 2021
10:39, EET
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline

Heikki Tahvanainen said
As an example, with Java Keytool you could specify this certificate extension with the “-ext” option:

keytool -genkey -alias testalias -storepass storepass -keypass keypass -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -storetype JKS -validity 3650 -dname "CN=SampleConsoleClient, O=SampleOrganization" -ext SAN=URI:"urn:<myhostname>:OPCUA:SampleConsoleClient",DNS:<myhostname>

  

As many newer OpcUa server reject the certificate when ‘Key Usage’ and ‘Enhanced Key Usage’ extensions are missing, the commandline should be extended with parameter -ext KU and -ext EKU

keytool -genkey -alias testalias -storepass storepass -keypass keypass -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -storetype JKS -validity 3650 -dname "CN=SampleConsoleClient, O=SampleOrganization" -ext SAN=URI:"urn:<myhostname>:OPCUA:SampleConsoleClient",DNS:<myhostname> -ext KU=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment -ext EKU=serverAuth,clientAuth
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
19 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 728

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1529

Posts: 6471

Newest Members:

ellis87832073466, zkxwilliemae, gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0

Administrators: admin: 1