Manage certificates =========================== Use Self Signed Certificate -------------------------------------- The simplest variant in opc ua to use certificates is to use self signed certificates. A self signed certificate and the associated private key can be generated by the OPC UA server itself when it is startet. If a application certificate is already exists when the server is started, no new application certificate is generated. To set the right server configuration, the following steps must be done. 1. Stop opc ua server. 2. Activate self signed configuration option. The opc ua server will generate a self signed certificate the next time it is started. :: $ OpcUaCtrl4 appl_cert show ASNeG-Demo $ OpcUaCtrl4 self_signed_cert status ASNeG-Demo ASNeG-Demo deactive $ OpcUaCtrl4 self_signed_cert activate ASNeG-Demo $ OpcUaCtrl4 self_signed_cert status ASNeG-Dem ASNeG-Demo active 3. Start opc ua server. 4. Show application certificate info :: $ OpcUaCtrl4 appl_cert show ASNeG-Demo ASNeG-Demo: 17D25D23E7FC70C53A4B8436E26618BB0FC608CA/Trusted/2020-Aug-26 10:46:30/2025-Aug-25 12:46:29/ASNeG-Demo Use Application Certificate ----------------------------------------- A second variant in opc ua to use certificates is to upload a application certificate and the associated private key to the opc ua server before starting server. To upload a application certificate to the opc ua server, the following steps must be done. 1. Stop opc ua server. 2. Delete existing application certificate. :: $ OpcUaCtrl4 appl_cert del ASNeG-Demo $ OpcUaCtrl4 appl_cert show ASNeG-Demo 3. Upload new application certificate and associated private key. An example for creating certificates can be found in section :doc:`create certificates ` . :: $ OpcUaCtrl4 appl_cert add ASNeG-Demo test_product_cert.der test_product_key.pem $ OpcUaCtrl4 appl_cert show ASNeG-Demo ASNeG-Demo: E3A69C8E0DDD0D97D953BE6D4300D927C366EFBE/Trusted/2020-Aug-12 15:25:25/2030-Aug-10 15:25:25/ASNeG-Demo 4. Start opc ua server Trust Client Certificate ------------------------------------- When establishing an connection between an OPC UA client and an OPC UA server both communication endpoints exchange there application certificates (or certificate chains). An OPC UA communication endpoint only allows a communication connection if the partner application certificate is trustworthy. If the partner application certificate is unknown, the application certificate is saved (Reject Folder) and marked as untrusted. In this case, a connection between the two OPC UA communication endpoints cannot be open. In order to allow the communication between the two OPC UA communication endpoints, the administrator of the opc ua endpoint must trust the application certificate of the OPC UA communication partner. Thereafter, a connection between the two communication endpoints can be open. The administrator must do the following things. 1. Start OPC UA server 2. OPC UA Client (UaExpert with Basic128Rsa15 Sign and Encrypt) connect to OPC UA server. The client application certificate on the OPC UA server is unknown. The OPC UA server will untrust the client certificate. The OPC UA server will not allow the connection from the OPC UA client. :: $ OpcUaCtrl4 cert show ASNeG-Demo ASNeG-Demo: BEE21C8D015589EE4EC7B030E1B08A24EF48A4D7/Untrusted/2020-Aug-09 15:38:08/2025-Aug-08 15:38:08/UaExpert@devel 3. The Administrator trust the client application certificate. :: $ OpcUaCtrl4 cert trust ASNeG-Demo BEE21C8D015589EE4EC7B030E1B08A24EF48A4D7 $ OpcUaCtrl4 cert show ASNeG-Demo ASNeG-Demo: BEE21C8D015589EE4EC7B030E1B08A24EF48A4D7/Trusted/2020-Aug-09 15:38:08/2025-Aug-08 15:38:08/UaExpert@devel 4. OPC UA Client (UaExpert with Basic128Rsa15 Sign and Encrypt) connect to OPC UA server again. Now the connection between the OPC UA client and the OPC UA server is established. Trust Client CA certificate --------------------------------- If a OPC UA endpoint trusts a CA certificate, all certificates derived from the CA certificate are also automatically trusted. This greatly simplifies the administrator's work. To upload and trust a CA certificate the administrator must do the following things. 1. Upload and trust the CA certificate. :: $ OpcUaCtrl4 ca_cert add ASNeG-Demo asneg_ca_cert.der $ OpcUaCtrl4 ca_cert show ASNeG-Demo ASNeG-Demo: AF118A6B651B7B0C77D2AB592FFB0152ABBC9970/Trusted/2020-Aug-13 12:57:37/2030-Aug-11 12:57:37/ASNeG CA Trust Client Intermediate Certificate ----------------------------------------- A Intermediate certificate is used for the finer grouping of Application certificates. If a OPC UA endpoint trusts a Intermediate certificate, all certificates derived from the Intermediate certificate are also automatically trusted. This greatly simplifies the administrator's work. To upload and trust a Intermediate certificate the administrator must do the following things. 1. Upload and trust Intermediate certificate. :: $ huebl@devel:~/devel/OpcUaStack4/src/OpcUaCtrl/Config$ $ OpcUaCtrl4 im_cert show ASNeG-Demo ASNeG-Demo: BA74D2A8F1CAFC3205794325FD84D25E8921E956/Trusted/2020-Aug-13 12:51:06/2030-Aug-11 12:51:06/ASNeG IM