Secure Channel Certificates
Overview
In OPC UA, a Secure Channel is a logical connection between a client and server that secures communication by establishing a trusted environment for data exchange. It uses certificates and cryptographic keys to ensure confidentiality, integrity, and authentication of messages.
Certificate trust and Setup process
- Client sends its certificate to the user.
- Server checks if the certificate is trusted:
- If not trusted, the server rejects the connection.
- Admin must manually trust the client certificate by moving it from rejected to trusted folder in the server config.
- After the certificate is trusted, server sends it to the client.
- Client verifies the server certificate against its Truststore.
If verification succeeds, a secure channel is established.
Import server certificate into a TrustStore
DER
format (server-cert.der), then run the following command:
keytool -import -trustcacerts \
-alias myservercert \
-file server-cert.der \
-keystore truststore.jks \
-storepass changeit
This command adds the server certificate to a Java TrustStore named truststore.jks using the default password changeit. You can adjust the alias, filename, keystore name, or password as needed.
Generate Client Certificate and Keystore Using OpenSSL
"urn:snaplogic:opcua:client"
- Create the script.
- Save the following script to a file, for example,
generate_client_cert.sh:
#!/bin/bash # === Certificate Metadata === ORG_NAME="SnapLogic" COMMON_NAME="SnapLogic OPC UA Client" ORG_UNIT="Integration" LOCALITY="San Mateo" STATE="CA" COUNTRY="US" VALIDITY_DAYS=3650 PFX_PASSWORD="password" PFX_ALIAS="client-ai" APP_URI="urn:snaplogic:opcua:client" # === Create OpenSSL Configuration === cat > openssl_opcua.cnf <<EOL [ req ] default_bits = 2048 default_md = sha256 default_keyfile = private_key.pem distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [ req_distinguished_name ] C = $COUNTRY ST = $STATE L = $LOCALITY O = $ORG_NAME OU = $ORG_UNIT CN = $COMMON_NAME [ v3_req ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [ alt_names ] URI.1 = $APP_URI EOL # === Generate Private Key === openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048 # === Generate CSR === openssl req -new -key private_key.pem -out client.csr -config openssl_opcua.cnf # === Generate Self-Signed Certificate === openssl x509 -req -days $VALIDITY_DAYS -in client.csr -signkey private_key.pem -out client_cert.pem -extensions v3_req -extfile openssl_opcua.cnf # === Export DER Format Certificate === openssl x509 -in client_cert.pem -outform der -out client_cert.der # === Create PKCS#12 Keystore === openssl pkcs12 -export -out client_cert.pfx -inkey private_key.pem -in client_cert.pem \ -name $PFX_ALIAS -password pass:$PFX_PASSWORD # === Cleanup === rm client.csr openssl_opcua.cnf # === Output Summary === echo "Client certificate and keystore created successfully:" echo " - Private Key : private_key.pem" echo " - PEM Certificate : client_cert.pem" echo " - DER Certificate : client_cert.der" echo " - PKCS#12 Keystore : client_cert.pfx" echo " (Alias: $PFX_ALIAS, Password: $PFX_PASSWORD)"
- Save the following script to a file, for example,
generate_client_cert.sh:
- Run the script.
- Make the script executable and run
it:
chmod +x generate_client_cert.sh ./generate_client_cert.sh
- Make the script executable and run
it:
Output Artifacts
File Name | Description |
---|---|
private_key.pem |
Private key for client authentication. |
client_cert.pem |
PEM-formatted self-signed certificate. |
client_cert.der |
DER-formatted certificate (binary). |
client_cert.pfx |
PKCS#12 keystore with cert and private key. Note: You must pass this certificate
in the OPC UA Account |