Create certificates

To generate a X.509 certificate the openssl library can be used. This section describes the individual steps that are necessary to create certificates. It is assumed that the OPC UA Stack is installed in the ${HOME}/.ASNeG directory.

Create Self Signed Certificate

A self signed certificate should only be used for test purpose. An OPC UA server can create a self signed certificate itself during the first startup. Instructions for this can be found in section manage certificates. How a self signed certificate can be created with openssl is not described here.

Create CA Certificate

A CA certificate is not issued by the operator of the OPC UA server but by a certification authority. This section explains how a CA certificate can be generated by yourself. You can download the following shell script from here.

  1. Set environment variable for openssl configuration file
$ touch index.txt
$ export OPENSSL_CONF=${HOME}/.ASNeG/etc/OpcUaStack/ssl/openssl.cnf
  1. Create a Certificate Signing Request (CSR). Please change the subject parameters according to your needs. A CSR file and a private key file are generated.
$ openssl req -new \
    -nodes \
    -subj '/DC=127.0.0.1/CN=ASNeG CA/O=ASNeG/C=DE/ST=Neukirchen/L=Hessen/OU=ASNeG CA' \
    -keyout asneg_ca_key.pem \
    -out asneg_ca_req.pem
  1. Create a CA certificate in PEM format and DER format.
$ openssl ca -create_serial \
    -out ./asneg_ca_cert.pem \
    -days 3650 -batch \
    -keyfile asneg_ca_key.pem -selfsign \
    -extensions v3_ca \
    -infiles asneg_ca_req.pem
$ openssl x509 -outform der -in ./asneg_ca_cert.pem -out ./asneg_ca_cert.der
  1. Show CA certificate infos.
$ openssl x509 -inform der -inform der  -in ./asneg_ca_cert.der -text

Create Intermediate Certificate

A Intermediate certificate is derived (signed) from a CA certificate and is used for grouping one or more Application certificates. This section explains how a Intermediate certificate can be generated by yourself. You can download the following shell script from here.

  1. Set environment variable for openssl configuration file
$ touch index.txt
$ export OPENSSL_CONF=${HOME}/.ASNeG/etc/OpcUaStack/ssl/openssl.cnf
  1. Create a Certificate Signing Request (CSR). Please change the subject parameters according to your needs. A CSR file and a private key file are generated.
$ openssl req -new \
     -nodes \
     -days 3650 \
     -subj '/DC=127.0.0.1/CN=ASNeG IM/O=ASNeG/C=DE/ST=Neukirchen/L=Hessen/OU=ASNeG IM' \
     -keyout asneg_im_key.pem \
     -out asneg_im_req.pem
  1. Create a Intermediate certificate in PEM format and DER format. In practice, the Intermedaiate certificate is not created by the operator of the OPC UA server himself. In this case the Certificate Signing Request from the last step is passed to a certification authority, who use it to create the Intermediate certificate.
$ openssl ca \
    -policy policy_anything \
    -days 3650 \
    -keyfile asneg_ca_key.pem \
    -extensions v3_ca \
    -cert asneg_ca_cert.pem \
    -out asneg_im_cert.pem \
    -infiles asneg_im_req.pem
$ openssl x509 -outform der -in ./asneg_im_cert.pem -out ./asneg_im_cert.der
  1. Show Intermediate certificate infos.
$ openssl x509 -inform der -in ./asneg_im_cert.der -text

Create Application Certificate

A Application certificate is derived (signed) from a Intermediate certificate or direct from a CA certificate, This section explains how a Application certificate can be generated by yourself. You can download the following shell script from here.

  1. Set environment variable for openssl configuration file and product name.
$ touch index.txt
$ export OPENSSL_CONF=${HOME}/.ASNeG/etc/OpcUaStack/ssl/openssl.cnf
$ export PRODUCT_NAME=APPL
  1. Create a Certificate Signing Request (CSR). Please change the subject parameters according to your needs. A CSR file and a private key file are generated.
$ openssl req -new \
    -nodes \
    -days 3650 \
    -subj "/DC=127.0.0.1/CN=${PRODUCT_NAME}/O=ASNeG/C=DE/ST=Neukirchen/L=Hessen/OU=ASNeG Product" \
    -keyout asneg_product_key.pem \
    -out asneg_product_req.pem
  1. Create a Application certificate in PEM format and DER format. i
$ penssl ca \
    -policy policy_anything \
    -days 3650 \
    -extensions demo-extension \
    -keyfile asneg_im_key.pem \
    -cert asneg_im_cert.pem \
    -out asneg_product_cert.pem \
    -infiles asneg_product_req.pem
$ openssl x509 -outform der -in ./asneg_product_cert.pem -out ./asneg_product_cert.der
  1. Show Application certificate infos.
$ openssl x509 -inform der -inform der  -in ./asneg_product_cert.der -text