Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Using Wildcards in 'Subject Alternative Name' for Application Certificate
March 6, 2023
14:55, EET
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline

Hi,

is it possible when using the method ‘loadOrCreateCertificate(…., String… hostNames)’ from the class ApplicationIdentity, to pass in also wildcard hostNames like e.g.

1.2.3.*
*.xyz.net
*

In the reference (https://reference.opcfoundation.org/v104/Core/docs/Part6/6.2.2/) it says: ‘Servers shall specify a partial or a fully qualified dNSName’ … – but the reference does not sepcify how a partial qualified dNSName looks like.

It also references to RFC 3280 (https://www.ietf.org/rfc/rfc3280.txt) where there is a short sentence about wildcards in section ‘4.2.1.7 Subject Alternative Name’

>> Finally, the semantics of subject alternative names that include
wildcard characters (e.g., as a placeholder for a set of names) are
not addressed by this specification. Applications with specific
requirements MAY use such names, but they must define the semantics.

So it says that it may be possible, depending on the application.

Thanks!

March 6, 2023
15:13, EET
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline

… and another question on this topic… does a OpcUa Client need to have the Subject Alternative Name hostname to be specified in his Application Certificate or is the hostname (list) only a thing which a OpcUa Server has to have in his Application Certificate?

I’m not sure because in the OPC reference at subjectAltName/hostnames it says only something about the ‘Servers shall specify …’ but it does not talk about the Client.

March 21, 2023
17:20, EET
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Sorry for the late response.

The DNSName field in Subject Alternative Name is indeed not very well defined in the specification, but I would say that you should not use any wild cards, because you are not supposed to use the certificate in more than one computer, anyways. If your computer has several hostnames and IP addresses that the clients may connect with, you should list all of them explicitly in the certificate.

In any case, it is meant to be used by servers only, so that clients could verify that the hostname or IP address used in the connection address matches with the DNSNames defined in the certificate – therefore ensuring that the certificates and private keys are not copied over from one server to another – or that the server you are connecting to is the one that you assume. But it therefore also assumes that DNS is reliable in your network. And this verification is not defined for the clients (although it could theoretically be used as well, since the server can verify the IP address of the client connections).

The main identifier in the certificates is the ApplicationUri, for both server and client applications. The certificate is mainly bound to that and the applications typically verify that the certificate is not copied over between applications by verifying this against the ApplicationUri defined by the applications in their ApplicationDescription. Every application are assumed to define a unique ApplicationUri and it typically also contains the hostname. But, it’s still possible to copy the certificate and private key between computers and make it look legitimate, if you can also change the ApplicationUri respectively.

In any case, the main security measure that you should take, is to ensure that the private keys are not and cannot be copied from the applications. This can be done by properly securing the certificate stores (file systems) in which they are stored.

Also, the certificates should be signed by Certificate Authorities instead of using self-signed certificates. By this means, you can ensure that only legitimate applications are allowed in your network and no rogue servers or clients can connect with them. The measures that rely on the Subject Alternative Name are secondary to this and merely defined to avoid accidental copying than rogue applications.

For the reasons mentioned above, we have only applied validations against the ApplicationUri in our SDK for Java or SDK for Delphi or applications. But some other client applications may validate against the DNSName, so you may need to use those definitions. We might also enable the DNSName validation in our client-side SDKs in future.

The Global Discovery Server is a new product that can act as a Certificate Authority and Central Application Directory and we recommend to consider that for your future installations, although we haven’t yet finished support for automatic GDS communication in our SDKs. Please contact our sales for more information about the availability and how you could use it with your own applications.

March 22, 2023
11:26, EET
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline

Thank you for the detailed explanation!

One more questions regarding this point:

>>If your computer has several hostnames and IP addresses that the clients may connect with, you should list all of them explicitly in the certificate.

This is as I understood from server certificate point of view.

What if the client can have several machines (e.g. due to failover reasons). So the client shares an application certificate over more than one computer. (The client runs on computer A, if computer A goes down, the client runs on computer B and so on….). In this case I have one application certificate for the client containing the hostnames for A and B or I have some wildcard because I do not know on which computers the client will run.

So as I understood there are some possibilites…

1) an application certificate for the client containing all ‘failover’ hostnames (so I only have to accept this certficate once at the OpcUa server)
2) an application certifcaite at each computer (disadvantage: I have to accept every possible certifcate at the OpcUa server)
3) an application certificate using wildcards (but I do not know if the server will accept this certifcate using a wildcard as DNS name)

March 22, 2023
15:14, EET
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline

And another question which is somehow related to this topic.

When I implement an OpcUa-Client, I create a self signed certificate using one of the ApplicationIdentity.loadOrCreateCertificate(…) methods.

I do this like suggested in the SampleConsoleClient

// *** Application Description is sent to the server
protected static String APP_NAME = “MyOpcUaClient”;
ApplicationDescription appDescription = new ApplicationDescription();
// ‘localhost’ (all lower case) in the ApplicationName and
// ApplicationURI is converted to the actual host name of the computer
// in which the application is run
appDescription.setApplicationName(new LocalizedText(APP_NAME + “@localhost”));
appDescription.setApplicationUri(“urn:localhost:OPCUA:” + APP_NAME);

So I get an Application Certificate with Name MyOpcUaClient@MyPC1
ApplicationUri = urn:MyPC1:OPCUA:MyOpcUaClient
SAN = [6,urn:MyPC1:OPCUA:MyOpcUaClient], [2,MyPC1]

So in case I will use the client in some fail over configuration where the client can run either on MyPC1 or on MyPC2, is there any possibility to share the self signed certificate for both clients. As there is the host name included in the name of the certificate and also in the ApplicationURI, I guess not?

Is there any requirement in the OpcUa reference to have the hostname incldued in the ApplicationName and in the ApoplicationUri? (or would it be ok to don’t include the hostname?)

March 23, 2023
17:07, EET
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Just to clarify: The client certificate does not use DNSName in the certificate. But it may use hostname in the ApplicationUri.

But, there are no real rules for the ApplicationUri (at least not yet) that would require you to use the Hostname in it. It’s just the most convenient way to ensure that the ApplicationUri is unique in every instance and that the certificates are not copied over from one application to another.

If you can create the certificates with a CA, you can make the server accept all CA signed certificates by default, so it won’t matter if every client has a different certificate, since you don’t accept them manually. But the sample can only create self-signed certificates…

In a redundant scenario, you have different options:

– if you wish that the redundant clients look exactly the same towards the server, you can use the same ApplicationUri and certificate. It’s not recommended to copy the certificate and private keys between computers in general, but if the clients must look the same, I think this is the only option.

– if you can accept that the server will see the clients as separate applications, they can have different ApplicatioUris and certificates.

In general, the server should not care which strategy you choose.

March 23, 2023
21:09, EET
Avatar
rocket science
Member
Members
Forum Posts: 88
Member Since:
March 16, 2017
sp_UserOfflineSmall Offline

Thank you for clarification!

When taking a look into the reference (https://reference.opcfoundation.org/v104/Core/docs/Part6/6.2.2/) it says for the SAN that it has to include the applicationUri and for servers it shall include the DNS names and/or IP Adresses.

Initially I thought that also client certificate have to include the hostnames of the clients because on every OpcUa client I have seen so far (which are only Prosys Browser and UaExpert) there was always the own DNS name included in the SAN of the client certificate.

But as I understood now, the client certificate does not need the DNSName in the SAN part of the certificate, but it needs the ApplicationUri, right?

March 24, 2023
16:35, EET
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1026
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Yes, exactly.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
74 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 734

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1523

Posts: 6449

Newest Members:

christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism, biancacraft16, edgardo3518

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1