Log In
Register
Forum
Topic RSS
10:53, EET
December 20, 2016
Offline
Hello,
we are currently evaluating, how to make the system really safe. But I’m struggling with the certificates…
I’m currently creating a self-signed certificate with ApplicationIdentity.loadOrCreateCertificate
but to get a “real” certificate, that is e.g. signed by a company wide known issuer we have to somehow transfer that certificate to the client/server and let the client/server know about this trusted issuer.
How can we achieve this?
There is some option about issuer certificate and private key. But I would never want the private key of the issuer in every small opc ua device???
Thanks,
lg Manuel
11:24, EET
December 20, 2016
Offline
And I have another issue:
I can’t get a connection over https running. I set up all the https certificate stuff but when I try to connect with UAExpert I get the error that:
The TLS certificate of server ‘…’ is already in UaExpert’s trust list but validation still fails. But I can’t find a reason why it fails? It is created with
KeyPair issuerCertificate = ApplicationIdentity.loadOrCreateIssuerCertificate(“ProsysSampleCA”, privatePath,
“opcua”, 3650, false);
String hostName = InetAddress.getLocalHost().getHostName();
identity.setHttpsCertificate(
ApplicationIdentity.loadOrCreateHttpsCertificate(appDescription, hostName, “opcua”, issuerCertificate, privatePath, true));
11:37, EET
December 21, 2011
Offline
You need to copy the CA certificate (the one that is signing your certificate) to the trusted (‘certs’) folder of your application.
For HTTPS to work, the apps like UaExpert need to trust the ProsysSampleCA certificate, as well. So copy that to UaExpert’s trusted certs folder.
11:38, EET
December 21, 2011
Offline
And as you mention, the private keys must never be copied between the applications.
15:23, EET
December 20, 2016
Offline
And where do I load or copy my own certificate? How can I tell the server to just load my certificate, that I created somewhere else and now using for the application?
Regading https:
I copied the ProsysSampleCA from the PKI folder to the ua Expert Issuers and TLS Issuers list (also shown within uaexpert on “Manage Certificates”) but i still get the same error.
lg Manu
19:22, EET
December 21, 2011
Offline
You have to replace the certificate and private key in the ‘private’ folder.
HTTPS implementations have been pending quite a while and the interoperability testing has not been finished. Also, it might be an issue that the Java implementation does not enable TLS 1.2 at the moment and UaExpert may have already reacted to the deprecation of TLS 1.0 and 1.1 in the latest OPC UA specifications – leaving no common TLS version available. So it is also possible that it just does not work. HTTPS in general is not a very solid option because of several practical issues, unfortunately.
10:36, EEST
December 20, 2016
Offline
Good Morning,
ok I managed to get my Application Certificate in through using the normal:
ApplicationIdentity.loadOrCreateCertificate(). When it has the same name as the Application, it is used. (Wouldn’t it be better to have here other methods for reading own certificates, this is somehow a bit difficult to understand…)
But now i ran into the problem, that this doesn’t work with the Issuer Certificate. I tried with ApplicationIdentity.loadOrCreateIssuerCertificate(). But this overwrites my copied in Issuer Certificate. I guess it awaits a private key for this certificate, but I don’t have any?!
Thanks,
lg Manu
15:02, EEST
April 17, 2013
Offline
Hello,
The example applications in the SDK use self-signed certificates. In this case, you’re using certificates which are signed by a real company-wide CA. This means that you cannot take the code from the examples directly. For example, the ApplicationIdentity.loadOrCreateIssuerCertificate method is not needed in this situation.
Also, you don’t “have” to use the ApplicationIdentity.loadOrCreateCertificate method. For example, if you are using a Java Keystore, you can load an application instance certificate from the keystore with:
In your original question you mentioned: “I would never want the private key of the issuer in every small opc ua device?”
You are absolutely correct. Only the public key of the issuer certificate is distributed to every application/device. This is not OPC UA specific; this is how public key infrastructure works.
With the Java SDK and the default PkiFileBasedCertificateValidator, you can utilize CA certificates simply by placing the CA cert in the PKI\CA\certs folder.
Let us know if you have additional questions about creating and using the application instance certificates.
At the end, I would like to mention one more detail. If you create the certificates in some separate system which is not related to OPC UA, you should make sure that the used certificates specify information about ApplicationURI and hostnames. The hostnames part is provided as dns name or ip-address. This functionality is specified in the part 6 of the specification.
As an example, with Java Keytool you could specify this certificate extension with the “-ext” option:
16:27, EEST
December 20, 2016
Offline
Hi Heikki,
and thanks for the explanation. I use openssl for certificate creation. But when trying to load the certificate with
File appCert = new File(privatePathString, “server.cert.der”);
File appKey = new File(privatePathString, “server.key.pem”);
final ApplicationIdentity identity = new ApplicationIdentity(appCert, appKey, “”);
I get a not further explained NullPointerException when doing init()
lg
16:04, EEST
April 17, 2013
Offline
Hello,
What is the NPE that you receive?
Probably not directly related to the null pointer, but please note that you need to set the application description with
15:54, EEST
December 20, 2016
Offline
Hi,
adding the application description solved the problem. Thanks!
10:39, EET
March 16, 2017
Offline
Heikki Tahvanainen said
As an example, with Java Keytool you could specify this certificate extension with the “-ext” option:keytool -genkey -alias testalias -storepass storepass -keypass keypass -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -storetype JKS -validity 3650 -dname "CN=SampleConsoleClient, O=SampleOrganization" -ext SAN=URI:"urn:<myhostname>:OPCUA:SampleConsoleClient",DNS:<myhostname>
As many newer OpcUa server reject the certificate when ‘Key Usage’ and ‘Enhanced Key Usage’ extensions are missing, the commandline should be extended with parameter -ext KU and -ext EKU
Most Users Ever Online: 1919
Currently Online:
17 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 735
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1523
Posts: 6449
Newest Members:
rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism, biancacraft16Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0
Administrators: admin: 1
