OPC UA 连接策略

客户端登录方式

  • 匿名方式

    OPC UA 服务端需要开启匿名登录选项。

    Neuron OPC UA 模块无需设置用户名/密码和证书/密钥。

  • 用户名/密码方式

    OPC UA 服务端已经创建好具备访问权限的用户名/密码。

    Neuron OPC UA 模块填写对应的用户名/密码,无需添加证书/密钥。

  • 证书/密钥 + 匿名方式

    OPC UA 服务端开启合适的安全设置,添加客户端证书到信任列表,并且开启匿名登录。

    Neuron OPC UA 模块添加对应的客户端证书/密钥,无需填写用户名/密码。

  • 证书/密钥 + 用户名/密码方式

    OPC UA 服务端已经创建好具备访问权限的用户名/密码,开启合适的安全设置,并添加客户端证书到信任列表。

    Neuron OPC UA 模块添加对应的用户名/密码,添加对应的客户端证书/密钥。

客户端证书要求

OPC UA 可通过用户自签名证书登录到 OPC UA 服务器,Certificate 和 Key 必须满足以下条件:

  • CERTIFICATE 和 KEYFILE 必须同时设置;

  • Certificate 必须以 X.509v3 标准生成;

  • Certficate 的 SAN 字段必须包含 URI:urn:xxx.xxx.xxxxxx 为自定义部分;

  • Certificate 文件和 Key 文件必须使用 DER 格式编码。

TIP

证书文件可以提前导入到目标服务器中并设置为信任,也可以由 Neuron 设置后自动提交再由服务端设置为信任。

客户端证书/密钥转换

可以通过以下步骤和命令将 PEM 证书以及私钥转换为 DER 格式。

  1. 将包括-----BEGIN CERTIFICATE----------END CERTIFICATE-----的所有内容保存为 1.crt;

  2. 将包括-----BEGIN PRIVATE KEY----------END PRIVATE KEY-----的所有内容保存为 1.key;

  3. 执行如下命令:

sh

  1. $ openssl x509 -in 1.crt -outform der -out cert.der   
  2. $ openssl rsa -inform PEM -in 1.key -outform DER -out key.der

客户端证书/密钥生成

Windows、Linux 和 Mac OS 系统下的生成方式一致。

sh

  1. $ openssl req -config localhost.cnf -new -nodes -x509 -sha256 -newkey rsa:2048 -keyout localhost.key -days 365 -subj "/C=DE/O=neuron/CN=NeuronClient@localhost" -out localhost.crt
  2. $ openssl x509 -in localhost.crt -outform der -out client_cert.der
  3. openssl rsa -inform PEM -in localhost.key -outform DER -out client_key.der
  4. $ rm localhost.crt
  5. $ rm localhost.key

-days 可以根据需要设置数值。

-config 指定的 *.cnf 文件可以使用下一节的文件附件 localhost.cnf 进行修改,需包含如下配置节:

sh

  1. [ v3_req ]
  3. # Extensions to add to a certificate request
  5. basicConstraints = CA:FALSE
  6. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  7. subjectAltName = @alt_names
  9. [ alt_names ]
  10. URI.1 = urn:xxx.xxx.xxx
  11. DNS.1 = localhost
  12. #DNS.2 = localhost
  13. IP.1 = 127.0.0.1
  14. #IP.2 = 0.0.0.0

文件附件 localhost.cnf

以下为 OpenSSL 配置文件示例,其中定义了用于一些用于生成证书请求、证书签发、时间戳颁发者(TSA)、证书吊销列表(CRL)等操作的参数。

sh

  1. #
  2. # OpenSSL example configuration file.
  3. # This is mostly being used for generation of certificate requests.
  4. #
  6. # This definition stops the following lines choking if HOME isn't
  7. # defined.
  8. HOME            = .
  9. RANDFILE        = $ENV::HOME/.rnd
  11. # Extra OBJECT IDENTIFIER info:
  12. #oid_file        = $ENV::HOME/.oid
  13. oid_section        = new_oids
  15. # To use this configuration file with the "-extfile" option of the
  16. # "openssl x509" utility, name here the section containing the
  17. # X.509v3 extensions to use:
  18. # extensions        = 
  19. # (Alternatively, use a configuration file that has only
  20. # X.509v3 extensions in its main [= default] section.)
  22. [ new_oids ]
  24. # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
  25. # Add a simple OID like this:
  26. # testoid1=1.2.3.4
  27. # Or use config file substitution like this:
  28. # testoid2=${testoid1}.5.6
  30. # Policies used by the TSA examples.
  31. tsa_policy1 = 1.2.3.4.1
  32. tsa_policy2 = 1.2.3.4.5.6
  33. tsa_policy3 = 1.2.3.4.5.7
  35. ####################################################################
  36. [ ca ]
  37. default_ca    = CA_default        # The default ca section
  39. ####################################################################
  40. [ CA_default ]
  42. dir        = ./ca/            # Where everything is kept
  43. certs        = $dir/certs        # Where the issued certs are kept
  44. crl_dir        = $dir/crl        # Where the issued crl are kept
  45. database    = $dir/database.txt    # database index file.
  46. #unique_subject    = no            # Set to 'no' to allow creation of
  47.                     # several ctificates with same subject.
  48. new_certs_dir    = $dir/newcerts        # default place for new certs.
  50. certificate    = $dir/ca.crt         # The CA certificate
  51. serial        = $dir/serial         # The current serial number
  52. crlnumber    = $dir/crlnumber    # the current crl number
  53.                     # must be commented out to leave a V1 CRL
  54. crl        = $dir/crl.pem         # The current CRL
  55. private_key    = $dir/ca.key         # The private key
  56. RANDFILE    = $dir/.rand        # private random number file
  58. x509_extensions    = usr_cert        # The extensions to add to the cert
  60. # Comment out the following two lines for the "traditional"
  61. # (and highly broken) format.
  62. name_opt     = ca_default        # Subject Name options
  63. cert_opt     = ca_default        # Certificate field options
  65. # Extension copying option: use with caution.
  66. # copy_extensions = copy
  68. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  69. # so this is commented out by default to leave a V1 CRL.
  70. # crlnumber must also be commented out to leave a V1 CRL.
  71. crl_extensions    = crl_ext
  73. default_days    = 365            # how long to certify for
  74. default_crl_days= 30            # how long before next CRL
  75. default_md    = default        # use public key default MD
  76. preserve    = no            # keep passed DN ordering
  78. # A few difference way of specifying how similar the request should look
  79. # For type CA, the listed attributes must be the same, and the optional
  80. # and supplied fields are just that :-)
  81. policy        = policy_match
  83. # For the CA policy
  84. [ policy_match ]
  85. countryName        = match
  86. stateOrProvinceName    = match
  87. organizationName    = match
  88. organizationalUnitName    = optional
  89. commonName        = supplied
  90. emailAddress        = optional
  92. # For the 'anything' policy
  93. # At this point in time, you must list all acceptable 'object'
  94. # types.
  95. [ policy_anything ]
  96. countryName        = optional
  97. stateOrProvinceName    = optional
  98. localityName        = optional
  99. organizationName    = optional
  100. organizationalUnitName    = optional
  101. commonName        = supplied
  102. emailAddress        = optional
  104. ####################################################################
  105. [ req ]
  106. default_bits        = 2048
  107. default_keyfile     = privkey.pem
  108. distinguished_name    = req_distinguished_name
  109. attributes        = req_attributes
  110. x509_extensions    = v3_ca    # The extensions to add to the self signed cert
  112. # Passwords for private keys if not present they will be prompted for
  113. # input_password = secret
  114. # output_password = secret
  116. # This sets a mask for permitted string types. There are several options. 
  117. # default: PrintableString, T61String, BMPString.
  118. # pkix     : PrintableString, BMPString (PKIX recommendation before 2004)
  119. # utf8only: only UTF8Strings (PKIX recommendation after 2004).
  120. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  121. # MASK:XXXX a literal mask value.
  122. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
  123. string_mask = utf8only
  125. req_extensions = v3_req # The extensions to add to a certificate request
  127. [ req_distinguished_name ]
  128. countryName            = Country Name (2 letter code)
  129. countryName_default        = AU
  130. countryName_min            = 2
  131. countryName_max            = 2
  133. stateOrProvinceName        = State or Province Name (full name)
  134. stateOrProvinceName_default    = Some-State
  136. localityName            = Locality Name (eg, city)
  138. 0.organizationName        = Organization Name (eg, company)
  139. 0.organizationName_default    = Internet Widgits Pty Ltd
  141. # we can do this but it is not needed normally :-)
  142. #1.organizationName        = Second Organization Name (eg, company)
  143. #1.organizationName_default    = World Wide Web Pty Ltd
  145. organizationalUnitName        = Organizational Unit Name (eg, section)
  146. #organizationalUnitName_default    =
  148. commonName            = Common Name (e.g. server FQDN or YOUR name)
  149. commonName_max            = 64
  151. emailAddress            = Email Address
  152. emailAddress_max        = 64
  154. # SET-ex3            = SET extension number 3
  156. [ req_attributes ]
  157. challengePassword        = A challenge password
  158. challengePassword_min        = 4
  159. challengePassword_max        = 20
  161. unstructuredName        = An optional company name
  163. [ usr_cert ]
  165. # These extensions are added when 'ca' signs a request.
  167. # This goes against PKIX guidelines but some CAs do it and some software
  168. # requires this to avoid interpreting an end user certificate as a CA.
  170. basicConstraints=CA:FALSE
  172. # Here are some examples of the usage of nsCertType. If it is omitted
  173. # the certificate can be used for anything *except* object signing.
  175. # This is OK for an SSL server.
  176. # nsCertType            = server
  178. # For an object signing certificate this would be used.
  179. # nsCertType = objsign
  181. # For normal client use this is typical
  182. # nsCertType = client, email
  184. # and for everything including object signing:
  185. # nsCertType = client, email, objsign
  187. # This is typical in keyUsage for a client certificate.
  188. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  190. # This will be displayed in Netscape's comment listbox.
  191. nsComment            = "OpenSSL Generated Certificate"
  193. # PKIX recommendations harmless if included in all certificates.
  194. subjectKeyIdentifier=hash
  195. authorityKeyIdentifier=keyid,issuer
  197. # This stuff is for subjectAltName and issuerAltname.
  198. # Import the email address.
  199. # subjectAltName=email:copy
  200. # An alternative to produce certificates that aren't
  201. # deprecated according to PKIX.
  202. # subjectAltName=email:move
  204. # Copy subject details
  205. # issuerAltName=issuer:copy
  207. #nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem
  208. #nsBaseUrl
  209. #nsRevocationUrl
  210. #nsRenewalUrl
  211. #nsCaPolicyUrl
  212. #nsSslServerName
  214. # This is required for TSA certificates.
  215. extendedKeyUsage = critical,timeStamping
  217. [ v3_req ]
  219. # Extensions to add to a certificate request
  221. basicConstraints = CA:FALSE
  222. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  223. subjectAltName = @alt_names
  225. [ alt_names ]
  226. URI.1 = urn:neuron.client.application
  227. DNS.1 = localhost
  228. #DNS.2 = localhost
  229. IP.1 = 127.0.0.1
  230. #IP.2 = 0.0.0.0
  232. [ v3_ca ]
  235. # Extensions for a typical CA
  238. # PKIX recommendation.
  240. subjectKeyIdentifier=hash
  242. authorityKeyIdentifier=keyid:always,issuer
  244. # This is what PKIX recommends but some broken software chokes on critical
  245. # extensions.
  246. #basicConstraints = critical,CA:true
  247. # So we do this instead.
  248. basicConstraints = CA:false
  250. # Key usage: this is typical for a CA certificate. However since it will
  251. # prevent it being used as an test self-signed certificate it is best
  252. # left out by default.
  253. # keyUsage = cRLSign, keyCertSign
  255. keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
  256. extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
  258. # Some might want this also
  259. # nsCertType = sslCA, emailCA
  261. # Include email address in subject alt name: another PKIX recommendation
  262. # subjectAltName=email:copy
  263. # Copy issuer details
  264. # issuerAltName=issuer:copy
  266. # DER hex encoding of an extension: beware experts only!
  267. # obj=DER:02:03
  268. # Where 'obj' is a standard or added object
  269. # You can even override a supported extension:
  270. # basicConstraints= critical, DER:30:03:01:01:FF
  272. subjectAltName         = @alt_names
  274. [ crl_ext ]
  276. # CRL extensions.
  277. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  279. # issuerAltName=issuer:copy
  280. authorityKeyIdentifier=keyid:always
  282. [ proxy_cert_ext ]
  283. # These extensions should be added when creating a proxy certificate
  285. # This goes against PKIX guidelines but some CAs do it and some software
  286. # requires this to avoid interpreting an end user certificate as a CA.
  288. basicConstraints=CA:FALSE
  290. # Here are some examples of the usage of nsCertType. If it is omitted
  291. # the certificate can be used for anything *except* object signing.
  293. # This is OK for an SSL server.
  294. # nsCertType            = server
  296. # For an object signing certificate this would be used.
  297. # nsCertType = objsign
  299. # For normal client use this is typical
  300. # nsCertType = client, email
  302. # and for everything including object signing:
  303. # nsCertType = client, email, objsign
  305. # This is typical in keyUsage for a client certificate.
  306. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  308. # This will be displayed in Netscape's comment listbox.
  309. nsComment            = "OpenSSL Generated Certificate"
  311. # PKIX recommendations harmless if included in all certificates.
  312. subjectKeyIdentifier=hash
  313. authorityKeyIdentifier=keyid,issuer
  315. # This stuff is for subjectAltName and issuerAltname.
  316. # Import the email address.
  317. # subjectAltName=email:copy
  318. # An alternative to produce certificates that aren't
  319. # deprecated according to PKIX.
  320. # subjectAltName=email:move
  322. # Copy subject details
  323. # issuerAltName=issuer:copy
  325. #nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem
  326. #nsBaseUrl
  327. #nsRevocationUrl
  328. #nsRenewalUrl
  329. #nsCaPolicyUrl
  330. #nsSslServerName
  332. # This really needs to be in place for it to be a proxy certificate.
  333. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
  335. ####################################################################
  336. [ tsa ]
  338. default_tsa = tsa_config1    # the default TSA section
  340. [ tsa_config1 ]
  342. # These are used by the TSA reply generation only.
  343. dir        = ./demoCA        # TSA root directory
  344. serial        = $dir/tsaserial    # The current serial number (mandatory)
  345. crypto_device    = builtin        # OpenSSL engine to use for signing
  346. signer_cert    = $dir/tsacert.pem     # The TSA signing certificate
  347.                     # (optional)
  348. certs        = $dir/cacert.pem    # Certificate chain to include in reply
  349.                     # (optional)
  350. signer_key    = $dir/private/tsakey.pem # The TSA private key (optional)
  352. default_policy    = tsa_policy1        # Policy if request did not specify it
  353.                     # (optional)
  354. other_policies    = tsa_policy2, tsa_policy3    # acceptable policies (optional)
  355. digests        = md5, sha1        # Acceptable message digests (mandatory)
  356. accuracy    = secs:1, millisecs:500, microsecs:100    # (optional)
  357. clock_precision_digits  = 0    # number of digits after dot. (optional)
  358. ordering        = yes    # Is ordering defined for timestamps?
  359.                 # (optional, default: no)
  360. tsa_name        = yes    # Must the TSA name be included in the reply?
  361.                 # (optional, default: no)
  362. ess_cert_id_chain    = no    # Must the ESS cert id chain be included?
  363.                 # (optional, default: no)