Creating Keystore and Truststore for OPC UA Account Configuration

Overview

OPC UA uses X.509 certificates for authentication on both the client and server sides. In OPC UA, a Secure Channel must be established between a client and a server for data exchange.

Key Steps

The following are the key steps involved in setting up OPC UA authentication:

Generate Keystore
Generate Truststore
Server and client trust (done at the backend)

Generate Keystore

To create the Keystore, you need to first generate the client certificate and keystore. The following script generates a self-signed client certificate and a private key, then packages them into a .pfx keystore (PKCS#12 format) for use with OPC UA clients.

Bash script

Important: Edit the values in the following script as required. However, you must ensure that the App URI is: "urn:snaplogic:opcua:client"

Create the script (for example, generate_client_cert.sh) and save the following script to a file:

#!/bin/bash

# === Certificate Metadata ===
ORG_NAME="SnapLogic"
COMMON_NAME="SnapLogic OPC UA Client"
ORG_UNIT="Integration"
LOCALITY="San Mateo"
STATE="CA"
COUNTRY="US"
VALIDITY_DAYS=3650
PFX_PASSWORD="password"
PFX_ALIAS="client-ai"
APP_URI="urn:snaplogic:opcua:client"

# === Create OpenSSL Configuration ===
cat > openssl_opcua.cnf <<EOL
[ req ]
default_bits       = 2048
default_md         = sha256
default_keyfile    = private_key.pem
distinguished_name = req_distinguished_name
x509_extensions    = v3_req
prompt             = no

[ req_distinguished_name ]
C  = $COUNTRY
ST = $STATE
L  = $LOCALITY
O  = $ORG_NAME
OU = $ORG_UNIT
CN = $COMMON_NAME

[ v3_req ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth, serverAuth
subjectAltName = @alt_names

[ alt_names ]
URI.1 = $APP_URI
EOL

# === Generate Private Key ===
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

# === Generate CSR ===
openssl req -new -key private_key.pem -out client.csr -config openssl_opcua.cnf

# === Generate Self-Signed Certificate ===
openssl x509 -req -days $VALIDITY_DAYS -in client.csr -signkey private_key.pem -out client_cert.pem -extensions v3_req -extfile openssl_opcua.cnf

# === Export DER Format Certificate ===
openssl x509 -in client_cert.pem -outform der -out client_cert.der

# === Create PKCS#12 Keystore ===
openssl pkcs12 -export -out client_cert.pfx -inkey private_key.pem -in client_cert.pem \
  -name $PFX_ALIAS -password pass:$PFX_PASSWORD

# === Cleanup ===
rm client.csr openssl_opcua.cnf

# === Output Summary ===
echo "Client certificate and keystore created successfully:"
echo " - Private Key        : private_key.pem"
echo " - PEM Certificate    : client_cert.pem"
echo " - DER Certificate    : client_cert.der"
echo " - PKCS#12 Keystore   : client_cert.pfx"
echo "   (Alias: $PFX_ALIAS, Password: $PFX_PASSWORD)"

Run the script. Make the script executable and run the following command:
```
chmod +x generate_client_cert.sh
./generate_client_cert.sh
```

After the script is run successfully, it generates a keystore file with .pfx extension. The following artifacts are generated:


File Name	Description
`private_key.pem`	Private key for client authentication.
`client_cert.pem`	PEM-formatted self-signed certificate.
`client_cert.der`	DER-formatted certificate (binary).
`client_cert.pfx`	PKCS#12 keystore with cert and private key. Use this file in the OPC UA Account configuration.

Generate a Server Certificate and add it to a TrustStore

Obtain the server’s certificate in DER format (server-cert.der).

Run the following command to import the server certificate:

keytool -import -trustcacerts \
-alias myservercert \
-file server-cert.der \
-keystore truststore.jks \
-storepass changeit

This command adds the server certificate to a Java TrustStore named truststore.jks using the default password changeit. You can adjust the alias, filename, keystore name, or password as needed. This truststore file can then be used in the OPC UA Account configuration.

Server and Client Certificate Trust

The certificate trust process occurs at the backend as follows:

The client sends its certificate to the server.
Server verifies if the certificate is trusted:
- If not trusted, the server rejects the connection.
- Admin must manually trust the client certificate by moving it from the rejected to the trusted folder in the server config.
After the client certificate is trusted, the server sends its certificate to the client.
Client verifies the server certificate against its Truststore.
If the verification is successful, a secure channel is established.

Note: This process is done at the backend. On servers without a UI for trust management, trust must be managed manually by moving certificates from the rejected to the trusted directories.