OPC UA 连接策略

客户端登录方式

  • 匿名方式

    OPC UA 服务端需要开启匿名登录选项。

    Neuron OPC UA 模块无需设置用户名/密码和证书/密钥。

  • 用户名/密码方式

    OPC UA 服务端已经创建好具备访问权限的用户名/密码。

    Neuron OPC UA 模块填写对应的用户名/密码,无需添加证书/密钥。

  • 证书/密钥 + 匿名方式

    OPC UA 服务端开启合适的安全设置,添加客户端证书到信任列表,并且开启匿名登录。

    Neuron OPC UA 模块添加对应的客户端证书/密钥,无需填写用户名/密码。

  • 证书/密钥 + 用户名/密码方式

    OPC UA 服务端已经创建好具备访问权限的用户名/密码,开启合适的安全设置,并添加客户端证书到信任列表。

    Neuron OPC UA 模块添加对应的用户名/密码,添加对应的客户端证书/密钥。

客户端证书要求

OPC UA 可通过用户自签名证书登录到 OPC UA 服务器,Certificate 和 Key 必须满足以下条件:

  • CERTIFICATE 和 KEYFILE 必须同时设置;

  • Certificate 必须以 X.509v3 标准生成;

  • Certficate 的 SAN 字段必须包含 URI:urn:xxx.xxx.xxxxxx 为自定义部分;

  • Certificate 文件和 Key 文件必须使用 DER 格式编码。

TIP

证书文件可以提前导入到目标服务器中并设置为信任,也可以由 Neuron 设置后自动提交再由服务端设置为信任。

客户端证书/密钥转换

可以通过以下步骤和命令将 PEM 证书以及私钥转换为 DER 格式。

  1. 将包括-----BEGIN CERTIFICATE----------END CERTIFICATE-----的所有内容保存为 1.crt;

  2. 将包括-----BEGIN PRIVATE KEY----------END PRIVATE KEY-----的所有内容保存为 1.key;

  3. 执行如下命令:

sh

  1. $ openssl x509 -in 1.crt -outform der -out cert.der
  2. $ openssl rsa -inform PEM -in 1.key -outform DER -out key.der

客户端证书/密钥生成

Windows、Linux 和 Mac OS 系统下的生成方式一致。

sh

  1. $ openssl req -config localhost.cnf -new -nodes -x509 -sha256 -newkey rsa:2048 -keyout localhost.key -days 365 -subj "/C=DE/O=neuron/CN=NeuronClient@localhost" -out localhost.crt
  2. $ openssl x509 -in localhost.crt -outform der -out client_cert.der
  3. openssl rsa -inform PEM -in localhost.key -outform DER -out client_key.der
  4. $ rm localhost.crt
  5. $ rm localhost.key

-days 可以根据需要设置数值。

-config 指定的 *.cnf 文件可以使用下一节的文件附件 localhost.cnf 进行修改,需包含如下配置节:

sh

  1. [ v3_req ]
  2. # Extensions to add to a certificate request
  3. basicConstraints = CA:FALSE
  4. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  5. subjectAltName = @alt_names
  6. [ alt_names ]
  7. URI.1 = urn:xxx.xxx.xxx
  8. DNS.1 = localhost
  9. #DNS.2 = localhost
  10. IP.1 = 127.0.0.1
  11. #IP.2 = 0.0.0.0

文件附件 localhost.cnf

以下为 OpenSSL 配置文件示例,其中定义了用于一些用于生成证书请求、证书签发、时间戳颁发者(TSA)、证书吊销列表(CRL)等操作的参数。

sh

  1. #
  2. # OpenSSL example configuration file.
  3. # This is mostly being used for generation of certificate requests.
  4. #
  5. # This definition stops the following lines choking if HOME isn't
  6. # defined.
  7. HOME = .
  8. RANDFILE = $ENV::HOME/.rnd
  9. # Extra OBJECT IDENTIFIER info:
  10. #oid_file = $ENV::HOME/.oid
  11. oid_section = new_oids
  12. # To use this configuration file with the "-extfile" option of the
  13. # "openssl x509" utility, name here the section containing the
  14. # X.509v3 extensions to use:
  15. # extensions =
  16. # (Alternatively, use a configuration file that has only
  17. # X.509v3 extensions in its main [= default] section.)
  18. [ new_oids ]
  19. # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
  20. # Add a simple OID like this:
  21. # testoid1=1.2.3.4
  22. # Or use config file substitution like this:
  23. # testoid2=${testoid1}.5.6
  24. # Policies used by the TSA examples.
  25. tsa_policy1 = 1.2.3.4.1
  26. tsa_policy2 = 1.2.3.4.5.6
  27. tsa_policy3 = 1.2.3.4.5.7
  28. ####################################################################
  29. [ ca ]
  30. default_ca = CA_default # The default ca section
  31. ####################################################################
  32. [ CA_default ]
  33. dir = ./ca/ # Where everything is kept
  34. certs = $dir/certs # Where the issued certs are kept
  35. crl_dir = $dir/crl # Where the issued crl are kept
  36. database = $dir/database.txt # database index file.
  37. #unique_subject = no # Set to 'no' to allow creation of
  38. # several ctificates with same subject.
  39. new_certs_dir = $dir/newcerts # default place for new certs.
  40. certificate = $dir/ca.crt # The CA certificate
  41. serial = $dir/serial # The current serial number
  42. crlnumber = $dir/crlnumber # the current crl number
  43. # must be commented out to leave a V1 CRL
  44. crl = $dir/crl.pem # The current CRL
  45. private_key = $dir/ca.key # The private key
  46. RANDFILE = $dir/.rand # private random number file
  47. x509_extensions = usr_cert # The extensions to add to the cert
  48. # Comment out the following two lines for the "traditional"
  49. # (and highly broken) format.
  50. name_opt = ca_default # Subject Name options
  51. cert_opt = ca_default # Certificate field options
  52. # Extension copying option: use with caution.
  53. # copy_extensions = copy
  54. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  55. # so this is commented out by default to leave a V1 CRL.
  56. # crlnumber must also be commented out to leave a V1 CRL.
  57. crl_extensions = crl_ext
  58. default_days = 365 # how long to certify for
  59. default_crl_days= 30 # how long before next CRL
  60. default_md = default # use public key default MD
  61. preserve = no # keep passed DN ordering
  62. # A few difference way of specifying how similar the request should look
  63. # For type CA, the listed attributes must be the same, and the optional
  64. # and supplied fields are just that :-)
  65. policy = policy_match
  66. # For the CA policy
  67. [ policy_match ]
  68. countryName = match
  69. stateOrProvinceName = match
  70. organizationName = match
  71. organizationalUnitName = optional
  72. commonName = supplied
  73. emailAddress = optional
  74. # For the 'anything' policy
  75. # At this point in time, you must list all acceptable 'object'
  76. # types.
  77. [ policy_anything ]
  78. countryName = optional
  79. stateOrProvinceName = optional
  80. localityName = optional
  81. organizationName = optional
  82. organizationalUnitName = optional
  83. commonName = supplied
  84. emailAddress = optional
  85. ####################################################################
  86. [ req ]
  87. default_bits = 2048
  88. default_keyfile = privkey.pem
  89. distinguished_name = req_distinguished_name
  90. attributes = req_attributes
  91. x509_extensions = v3_ca # The extensions to add to the self signed cert
  92. # Passwords for private keys if not present they will be prompted for
  93. # input_password = secret
  94. # output_password = secret
  95. # This sets a mask for permitted string types. There are several options.
  96. # default: PrintableString, T61String, BMPString.
  97. # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
  98. # utf8only: only UTF8Strings (PKIX recommendation after 2004).
  99. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  100. # MASK:XXXX a literal mask value.
  101. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
  102. string_mask = utf8only
  103. req_extensions = v3_req # The extensions to add to a certificate request
  104. [ req_distinguished_name ]
  105. countryName = Country Name (2 letter code)
  106. countryName_default = AU
  107. countryName_min = 2
  108. countryName_max = 2
  109. stateOrProvinceName = State or Province Name (full name)
  110. stateOrProvinceName_default = Some-State
  111. localityName = Locality Name (eg, city)
  112. 0.organizationName = Organization Name (eg, company)
  113. 0.organizationName_default = Internet Widgits Pty Ltd
  114. # we can do this but it is not needed normally :-)
  115. #1.organizationName = Second Organization Name (eg, company)
  116. #1.organizationName_default = World Wide Web Pty Ltd
  117. organizationalUnitName = Organizational Unit Name (eg, section)
  118. #organizationalUnitName_default =
  119. commonName = Common Name (e.g. server FQDN or YOUR name)
  120. commonName_max = 64
  121. emailAddress = Email Address
  122. emailAddress_max = 64
  123. # SET-ex3 = SET extension number 3
  124. [ req_attributes ]
  125. challengePassword = A challenge password
  126. challengePassword_min = 4
  127. challengePassword_max = 20
  128. unstructuredName = An optional company name
  129. [ usr_cert ]
  130. # These extensions are added when 'ca' signs a request.
  131. # This goes against PKIX guidelines but some CAs do it and some software
  132. # requires this to avoid interpreting an end user certificate as a CA.
  133. basicConstraints=CA:FALSE
  134. # Here are some examples of the usage of nsCertType. If it is omitted
  135. # the certificate can be used for anything *except* object signing.
  136. # This is OK for an SSL server.
  137. # nsCertType = server
  138. # For an object signing certificate this would be used.
  139. # nsCertType = objsign
  140. # For normal client use this is typical
  141. # nsCertType = client, email
  142. # and for everything including object signing:
  143. # nsCertType = client, email, objsign
  144. # This is typical in keyUsage for a client certificate.
  145. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  146. # This will be displayed in Netscape's comment listbox.
  147. nsComment = "OpenSSL Generated Certificate"
  148. # PKIX recommendations harmless if included in all certificates.
  149. subjectKeyIdentifier=hash
  150. authorityKeyIdentifier=keyid,issuer
  151. # This stuff is for subjectAltName and issuerAltname.
  152. # Import the email address.
  153. # subjectAltName=email:copy
  154. # An alternative to produce certificates that aren't
  155. # deprecated according to PKIX.
  156. # subjectAltName=email:move
  157. # Copy subject details
  158. # issuerAltName=issuer:copy
  159. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  160. #nsBaseUrl
  161. #nsRevocationUrl
  162. #nsRenewalUrl
  163. #nsCaPolicyUrl
  164. #nsSslServerName
  165. # This is required for TSA certificates.
  166. extendedKeyUsage = critical,timeStamping
  167. [ v3_req ]
  168. # Extensions to add to a certificate request
  169. basicConstraints = CA:FALSE
  170. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  171. subjectAltName = @alt_names
  172. [ alt_names ]
  173. URI.1 = urn:neuron.client.application
  174. DNS.1 = localhost
  175. #DNS.2 = localhost
  176. IP.1 = 127.0.0.1
  177. #IP.2 = 0.0.0.0
  178. [ v3_ca ]
  179. # Extensions for a typical CA
  180. # PKIX recommendation.
  181. subjectKeyIdentifier=hash
  182. authorityKeyIdentifier=keyid:always,issuer
  183. # This is what PKIX recommends but some broken software chokes on critical
  184. # extensions.
  185. #basicConstraints = critical,CA:true
  186. # So we do this instead.
  187. basicConstraints = CA:false
  188. # Key usage: this is typical for a CA certificate. However since it will
  189. # prevent it being used as an test self-signed certificate it is best
  190. # left out by default.
  191. # keyUsage = cRLSign, keyCertSign
  192. keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
  193. extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
  194. # Some might want this also
  195. # nsCertType = sslCA, emailCA
  196. # Include email address in subject alt name: another PKIX recommendation
  197. # subjectAltName=email:copy
  198. # Copy issuer details
  199. # issuerAltName=issuer:copy
  200. # DER hex encoding of an extension: beware experts only!
  201. # obj=DER:02:03
  202. # Where 'obj' is a standard or added object
  203. # You can even override a supported extension:
  204. # basicConstraints= critical, DER:30:03:01:01:FF
  205. subjectAltName = @alt_names
  206. [ crl_ext ]
  207. # CRL extensions.
  208. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  209. # issuerAltName=issuer:copy
  210. authorityKeyIdentifier=keyid:always
  211. [ proxy_cert_ext ]
  212. # These extensions should be added when creating a proxy certificate
  213. # This goes against PKIX guidelines but some CAs do it and some software
  214. # requires this to avoid interpreting an end user certificate as a CA.
  215. basicConstraints=CA:FALSE
  216. # Here are some examples of the usage of nsCertType. If it is omitted
  217. # the certificate can be used for anything *except* object signing.
  218. # This is OK for an SSL server.
  219. # nsCertType = server
  220. # For an object signing certificate this would be used.
  221. # nsCertType = objsign
  222. # For normal client use this is typical
  223. # nsCertType = client, email
  224. # and for everything including object signing:
  225. # nsCertType = client, email, objsign
  226. # This is typical in keyUsage for a client certificate.
  227. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  228. # This will be displayed in Netscape's comment listbox.
  229. nsComment = "OpenSSL Generated Certificate"
  230. # PKIX recommendations harmless if included in all certificates.
  231. subjectKeyIdentifier=hash
  232. authorityKeyIdentifier=keyid,issuer
  233. # This stuff is for subjectAltName and issuerAltname.
  234. # Import the email address.
  235. # subjectAltName=email:copy
  236. # An alternative to produce certificates that aren't
  237. # deprecated according to PKIX.
  238. # subjectAltName=email:move
  239. # Copy subject details
  240. # issuerAltName=issuer:copy
  241. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  242. #nsBaseUrl
  243. #nsRevocationUrl
  244. #nsRenewalUrl
  245. #nsCaPolicyUrl
  246. #nsSslServerName
  247. # This really needs to be in place for it to be a proxy certificate.
  248. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
  249. ####################################################################
  250. [ tsa ]
  251. default_tsa = tsa_config1 # the default TSA section
  252. [ tsa_config1 ]
  253. # These are used by the TSA reply generation only.
  254. dir = ./demoCA # TSA root directory
  255. serial = $dir/tsaserial # The current serial number (mandatory)
  256. crypto_device = builtin # OpenSSL engine to use for signing
  257. signer_cert = $dir/tsacert.pem # The TSA signing certificate
  258. # (optional)
  259. certs = $dir/cacert.pem # Certificate chain to include in reply
  260. # (optional)
  261. signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
  262. default_policy = tsa_policy1 # Policy if request did not specify it
  263. # (optional)
  264. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  265. digests = md5, sha1 # Acceptable message digests (mandatory)
  266. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  267. clock_precision_digits = 0 # number of digits after dot. (optional)
  268. ordering = yes # Is ordering defined for timestamps?
  269. # (optional, default: no)
  270. tsa_name = yes # Must the TSA name be included in the reply?
  271. # (optional, default: no)
  272. ess_cert_id_chain = no # Must the ESS cert id chain be included?
  273. # (optional, default: no)