Secure Channel Certificates

Overview

In OPC UA, a Secure Channel is a logical connection between a client and server that secures communication by establishing a trusted environment for data exchange. It uses certificates and cryptographic keys to ensure confidentiality, integrity, and authentication of messages.

Certificate trust and Setup process

  1. Client sends its certificate to the user.
  2. Server checks if the certificate is trusted:
    • If not trusted, the server rejects the connection.
    • Admin must manually trust the client certificate by moving it from rejected to trusted folder in the server config.
  3. After the certificate is trusted, server sends it to the client.
  4. Client verifies the server certificate against its Truststore.

    If verification succeeds, a secure channel is established.

Note: On servers without UI for trust management, trust must be managed manually, that is, move certificates from rejected to trusted directories.

Import server certificate into a TrustStore

To trust the OPC UA server, you must first obtain the server’s certificate in DER format (server-cert.der), then run the following command:
keytool -import -trustcacerts \
  -alias myservercert \
  -file server-cert.der \
  -keystore truststore.jks \
  -storepass changeit

This command adds the server certificate to a Java TrustStore named truststore.jks using the default password changeit. You can adjust the alias, filename, keystore name, or password as needed.

Generate Client Certificate and Keystore Using OpenSSL

The following Bash script generates a self-signed client certificate, a private key, and packages them into a .pfx keystore (PKCS#12 format) for use with OPC UA clients.
Note: Edit the values in the following script as required. However, ensure that the App URI is: "urn:snaplogic:opcua:client"
  1. Create the script.
    1. Save the following script to a file, for example, generate_client_cert.sh:
      #!/bin/bash
      
      # === Certificate Metadata ===
      ORG_NAME="SnapLogic"
      COMMON_NAME="SnapLogic OPC UA Client"
      ORG_UNIT="Integration"
      LOCALITY="San Mateo"
      STATE="CA"
      COUNTRY="US"
      VALIDITY_DAYS=3650
      PFX_PASSWORD="password"
      PFX_ALIAS="client-ai"
      APP_URI="urn:snaplogic:opcua:client"
      
      # === Create OpenSSL Configuration ===
      cat > openssl_opcua.cnf <<EOL
      [ req ]
      default_bits       = 2048
      default_md         = sha256
      default_keyfile    = private_key.pem
      distinguished_name = req_distinguished_name
      x509_extensions    = v3_req
      prompt             = no
      
      [ req_distinguished_name ]
      C  = $COUNTRY
      ST = $STATE
      L  = $LOCALITY
      O  = $ORG_NAME
      OU = $ORG_UNIT
      CN = $COMMON_NAME
      
      [ v3_req ]
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid,issuer
      basicConstraints = CA:FALSE
      keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
      extendedKeyUsage = clientAuth, serverAuth
      subjectAltName = @alt_names
      [ alt_names ]
      URI.1 = $APP_URI
      EOL
      
      # === Generate Private Key ===
      openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
      
      # === Generate CSR ===
      openssl req -new -key private_key.pem -out client.csr -config openssl_opcua.cnf
      
      # === Generate Self-Signed Certificate ===
      openssl x509 -req -days $VALIDITY_DAYS -in client.csr -signkey private_key.pem -out client_cert.pem -extensions v3_req -extfile openssl_opcua.cnf
      
      # === Export DER Format Certificate ===
      openssl x509 -in client_cert.pem -outform der -out client_cert.der
      
      # === Create PKCS#12 Keystore ===
      openssl pkcs12 -export -out client_cert.pfx -inkey private_key.pem -in client_cert.pem \
        -name $PFX_ALIAS -password pass:$PFX_PASSWORD
      
      # === Cleanup ===
      rm client.csr openssl_opcua.cnf
      
      # === Output Summary ===
      echo "Client certificate and keystore created successfully:"
      
      echo " - Private Key        : private_key.pem"
      echo " - PEM Certificate    : client_cert.pem"
      echo " - DER Certificate    : client_cert.der"
      echo " - PKCS#12 Keystore   : client_cert.pfx"
      echo "   (Alias: $PFX_ALIAS, Password: $PFX_PASSWORD)"
  2. Run the script.
    1. Make the script executable and run it:
      chmod +x generate_client_cert.sh
      ./generate_client_cert.sh

Output Artifacts

File Name Description
private_key.pem Private key for client authentication.
client_cert.pem PEM-formatted self-signed certificate.
client_cert.der DER-formatted certificate (binary).
client_cert.pfx PKCS#12 keystore with cert and private key.
Note: You must pass this certificate in the OPC UA Account