OPC UA Certificate Deployment

The UA component certificate (Connector or Server Service) needs to be deployed to the machine running this inmation service and the root certificate needs to be known to the UA server if automatic client certificate validation should take place.

As of today, a UA component cannot be configured with an external client certificate via DataStudio or some API calls. Instead, the certificate and the private key need to be copied manually to the host machine running the Connector or Server service.

For detailed information regarding OPC UA Certificate Management, see this page of the OPC Foundation.

Before the certificate and private key can be deployed, they need to be converted into the required formats

Converting the Private Key

The private key is required to be stored in PFX format, so you need to export the PEM encoded key file and certificate to a PFX file. To do this, execute the following command:

PS > openssl pkcs12 `
        -inkey requesting-party/private/TheRequestingParty.key.pem `
        -in requesting-party/certs/TheGrantedCertificate.pem `
        -export `
        -out requesting-party/private/ua_client.key.pfx
Details

In this command …​

  • inkey - the private key input for PKCS12 output.

  • in - specifies the path/filename of the file which is to be converted

  • export - This option specifies that a PKCS#12 file will be created. Without this option, the command is used to parse the file specified in the -in option

  • out - specifies the path/filename to write the PKCS#12 file to

For further options of the 'pkcs12' command see the OpenSSL documentation.

Note that with the previous command the converted private key got a new specific name ('ua_client,key') instead of the generic 'TheRquestingParty.key' which we’ve been using so far.

Converting the Certificate

To convert a certificate from PEM into the required DER encoding, execute this command line:

PS> openssl x509 `
        -outform der `
        -in requesting-party/certs/TheGrantedCertificate.pem `
        -out requesting-party/certs/ua_client.cert.der
Details

In this command …​

  • -outform - defines the new file format for the certificate

  • -in - specifies the file which is to be converted

  • -out - sets the path/filename for the converted certificate

For further options of the 'x509' command see the OpenSSL documentation.

Note that with the previous command the converted certificate got a new specific name ('ua_client.cert') instead of the generic 'TheGrantedCertificate' which we’ve been using so far.

Deployment

1 Before deploying the Private Key and the Certificate to the component, make sure that the OPC UA Stack > Certificate Security > Create Certificate property is disabled.

2 Copy the DER encoded UA client certificate to the inmation.root\certificates\public folder. Then, in the target folder, rename the certificate file so that it starts with "[conn] " for a Connector Service or with "[server] " for a Server Service (without quotation marks, but including the white space after the closing square bracket).

3 Copy the PFX key file to the inmation.root\certificates\private folder and in the target folder rename it so that it also begins with the prefix which fits the service, i.e. "[conn] " or "[server] ".

The final directory layout should look like this (there may exist additional folder and files, but no more than one file with each prefix should exist in each sub-folder):

certificates
┣━ private/
┃  ┗━ [<prefix>] ua_client.key.pfx
┣━ public/
┃  ┗━ [<prefix>] ua_client.cert.der
⁞
After manually adding or removing files in the connectors local certificate store, the component service needs to be restarted for the changes to take effect.

UA Server

If the UA server should be able to automatically validate the UA client certificate, the root certificate needs to be installed in its certificate store. How this is done depends on the actual type of certificate store used by the UA server. A local directory store typically has a certs sub-folder where trusted certificates can be copied to. If the Windows certificate store is used, the root certificate can be installed by double-clicking on it.

Due to the used DER certificate format, it is not possible to create a certificate chain file containing both the client and its intermediate and / or root certificates.