Creating OPC UA Clients with security support

One of the core features of OPC UA is the support for security, which means we get cryptographically encrypted and signed protocol, user authentication and authorization support.

To make this work, each application instances (installation of a program) needs to have its own Application Instance Certificate and the according private key.

The applications can either generate self-signed certificates on their own, get some from a certificate authority using OPC UA GDS, or simply can be configured with certificates which haven been created manually by the user.

Because at the moment Qt OPC UA does not support certificate generation or GDS, this tutorial describes how to generate a self-signed OPC UA certificate on the command line using OpenSSL.

Create a new Application Certificate

To be able to generate a correct x509v3 certificate with all required extensions for OPC UA, we need to setup a configuration file with all the necessary information first.

Remember to change subject and subjectAltName to match your case.

It is important to insert the ApplicationURI of the application into the URI field of subjectAltName, and that the hostname of your PC or device is inserted in the DNS fields of subjectAltName. Alternatively, you can use IP field if your device does not support host names and you are working with static IPs. Future versions of Qt OPC UA will be able to generate the certificate for you with correct information. For now, you can create one using the OpenSSL command line tool.

Example: opcuaviewer.config

 
Sélectionnez
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
subjectAltName = URI:urn:foo.com:The%20Qt%20Company:QtOpcUaViewer,DNS:foo.com
subjectKeyIdentifier = hash
authorityKeyIdentifier=keyid:always,issuer:always

[ subject ]
countryName = DE
stateOrProvinceName = Berlin
localityName = Berlin
organizationName = The Qt Company
commonName = QtOpcUaViewer

Using this configuration file, OpenSSL is able to create a matching certificate for local use.

 
Sélectionnez
# create a self-signed certificate and private key
openssl req -new -x509  -config opcuaviewer.config -newkey rsa:2048 -keyout opcuaviewer.key -nodes -outform der -out opcuaviewer.der
# install the certificate and key into the application PKI directory
mv opcuaviewer.der /path/to/application/pki/own/certs/opcuaviewer.der
mv opcuaviewer.key /path/to/application/pki/own/private/opcuaviewer.pem
# secure private key file permissions
chmod 600 /path/to/application/pki/own/private/opcuaviewer.pem

It is important to secure the file permission of the private key, so that only the UA application can read it. For services (daemons), it is recommended to create dedicated unprivileged users accounts for this and make this user the owner of the key. For interactive applications, this key should be individual to the user. For interactive applications, it is also possible to password protect the key. In this case, the user needs to enter the password every time the application is started and loading the key. For this reason, password protected keys are not a good solution for unattended applications, because this would required to store the password in a configuration file.

You can dump the certificate data using OpenSSL to inspect the contents of the certificate:

 
Sélectionnez
        openssl x509 -in opcuaviewer.der -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            be:aa:41:79:8a:b0:4f:9a
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C = DE, ST = Berlin, L = Berlin, O = The Q