Connection Policy

On this page, you’ll learn about client certificate and key configuration for connecting with the Neuron OPC UA module. This includes different login modes, certificate requirements, conversion and generation of certificates, and how to work with the crucial localhost.cnf file.

Client Login Mode

  • Anonymous mode

    The anonymous login option must be enabled on the OPC UA server.

    The Neuron OPC UA module requires no username/password and certificate/key.

  • Username/password mode

    The username and password that have access permission have been created on the OPC UA server.

    Neuron OPC UA module fills in the corresponding username/password without adding certificate/key.

  • Certificate/key + anonymous mode

    OPC UA Enable appropriate security Settings on the server, add the client certificate to the trusted list, and enable anonymous login.

    Neuron OPC UA module adds the corresponding client certificate/key without filling in the username/password.

  • Certificate/key + username/password mode

    On the OPC UA server, you have created a username and password with access permission, enabled appropriate security Settings, and added the client certificate to the trust list.

    Neuron OPC UA module adds the corresponding username/password and corresponding client certificate/key.

Client Certificate Requirements

OPC UA Users can log in to the OPC UA server using a self-signed Certificate. The certificate and Key must meet the following conditions:

  • CERTIFICATE and KEYFILE must be set together.

  • The certificate must be generated in standard X.509v3.

  • The SAN field in Certificate must contain URI:urn:xxx.xxx.xxx, xxx is the custom part.

  • The Certificate file and Key file must be encoded in DER format.

TIP

The certificate file can be imported into the target server in advance and set as trusted, or it can be automatically submitted after being set by Neuron and set as trusted by the server.

Client Certificate/Key Conversion

You can use the following steps and commands to convert the PEM certificate and private key to DER format:

  1. Save all contents including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- as 1.crt;

  2. Save all contents including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- as 1.key;

  3. Run the following command:

    sh

    1. $ openssl x509 -in 1.crt -outform der -out cert.der
    2. $ openssl rsa -inform PEM -in 1.key -outform DER -out key.der

Generate a Client Certificate/Key

The generation mode on Windows, Linux, and Mac OS systems is the same.

sh

  1. $ openssl req -config localhost.cnf -new -nodes -x509 -sha256 -newkey rsa:2048 -keyout localhost.key -days 365 -subj "/C=DE/O=neuron/CN=NeuronClient@localhost" -out localhost.crt
  2. $ openssl x509 -in localhost.crt -outform der -out client_cert.der
  3. openssl rsa -inform PEM -in localhost.key -outform DER -out client_key.der
  4. $ rm localhost.crt
  5. $ rm localhost.key

-days can set the value as desired.

The *.cnf file specified by -config can be modified using the file attachment localhost.cnf in the next section and needs to contain the following configuration section:

sh

  1. [ v3_req ]
  2. # Extensions to add to a certificate request
  3. basicConstraints = CA:FALSE
  4. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  5. subjectAltName = @alt_names
  6. [ alt_names ]
  7. URI.1 = urn:xxx.xxx.xxx
  8. DNS.1 = localhost
  9. #DNS.2 = localhost
  10. IP.1 = 127.0.0.1
  11. #IP.2 = 0.0.0.0

Further Reaching: localhost.cnf

sh

  1. #
  2. # OpenSSL example configuration file.
  3. # This is mostly being used for generation of certificate requests.
  4. #
  5. # This definition stops the following lines choking if HOME isn't
  6. # defined.
  7. HOME = .
  8. RANDFILE = $ENV::HOME/.rnd
  9. # Extra OBJECT IDENTIFIER info:
  10. #oid_file = $ENV::HOME/.oid
  11. oid_section = new_oids
  12. # To use this configuration file with the "-extfile" option of the
  13. # "openssl x509" utility, name here the section containing the
  14. # X.509v3 extensions to use:
  15. # extensions =
  16. # (Alternatively, use a configuration file that has only
  17. # X.509v3 extensions in its main [= default] section.)
  18. [ new_oids ]
  19. # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
  20. # Add a simple OID like this:
  21. # testoid1=1.2.3.4
  22. # Or use config file substitution like this:
  23. # testoid2=${testoid1}.5.6
  24. # Policies used by the TSA examples.
  25. tsa_policy1 = 1.2.3.4.1
  26. tsa_policy2 = 1.2.3.4.5.6
  27. tsa_policy3 = 1.2.3.4.5.7
  28. ####################################################################
  29. [ ca ]
  30. default_ca = CA_default # The default ca section
  31. ####################################################################
  32. [ CA_default ]
  33. dir = ./ca/ # Where everything is kept
  34. certs = $dir/certs # Where the issued certs are kept
  35. crl_dir = $dir/crl # Where the issued crl are kept
  36. database = $dir/database.txt # database index file.
  37. #unique_subject = no # Set to 'no' to allow creation of
  38. # several ctificates with same subject.
  39. new_certs_dir = $dir/newcerts # default place for new certs.
  40. certificate = $dir/ca.crt # The CA certificate
  41. serial = $dir/serial # The current serial number
  42. crlnumber = $dir/crlnumber # the current crl number
  43. # must be commented out to leave a V1 CRL
  44. crl = $dir/crl.pem # The current CRL
  45. private_key = $dir/ca.key # The private key
  46. RANDFILE = $dir/.rand # private random number file
  47. x509_extensions = usr_cert # The extensions to add to the cert
  48. # Comment out the following two lines for the "traditional"
  49. # (and highly broken) format.
  50. name_opt = ca_default # Subject Name options
  51. cert_opt = ca_default # Certificate field options
  52. # Extension copying option: use with caution.
  53. # copy_extensions = copy
  54. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  55. # so this is commented out by default to leave a V1 CRL.
  56. # crlnumber must also be commented out to leave a V1 CRL.
  57. crl_extensions = crl_ext
  58. default_days = 365 # how long to certify for
  59. default_crl_days= 30 # how long before next CRL
  60. default_md = default # use public key default MD
  61. preserve = no # keep passed DN ordering
  62. # A few difference way of specifying how similar the request should look
  63. # For type CA, the listed attributes must be the same, and the optional
  64. # and supplied fields are just that :-)
  65. policy = policy_match
  66. # For the CA policy
  67. [ policy_match ]
  68. countryName = match
  69. stateOrProvinceName = match
  70. organizationName = match
  71. organizationalUnitName = optional
  72. commonName = supplied
  73. emailAddress = optional
  74. # For the 'anything' policy
  75. # At this point in time, you must list all acceptable 'object'
  76. # types.
  77. [ policy_anything ]
  78. countryName = optional
  79. stateOrProvinceName = optional
  80. localityName = optional
  81. organizationName = optional
  82. organizationalUnitName = optional
  83. commonName = supplied
  84. emailAddress = optional
  85. ####################################################################
  86. [ req ]
  87. default_bits = 2048
  88. default_keyfile = privkey.pem
  89. distinguished_name = req_distinguished_name
  90. attributes = req_attributes
  91. x509_extensions = v3_ca # The extensions to add to the self signed cert
  92. # Passwords for private keys if not present they will be prompted for
  93. # input_password = secret
  94. # output_password = secret
  95. # This sets a mask for permitted string types. There are several options.
  96. # default: PrintableString, T61String, BMPString.
  97. # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
  98. # utf8only: only UTF8Strings (PKIX recommendation after 2004).
  99. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  100. # MASK:XXXX a literal mask value.
  101. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
  102. string_mask = utf8only
  103. req_extensions = v3_req # The extensions to add to a certificate request
  104. [ req_distinguished_name ]
  105. countryName = Country Name (2 letter code)
  106. countryName_default = AU
  107. countryName_min = 2
  108. countryName_max = 2
  109. stateOrProvinceName = State or Province Name (full name)
  110. stateOrProvinceName_default = Some-State
  111. localityName = Locality Name (eg, city)
  112. 0.organizationName = Organization Name (eg, company)
  113. 0.organizationName_default = Internet Widgits Pty Ltd
  114. # we can do this but it is not needed normally :-)
  115. #1.organizationName = Second Organization Name (eg, company)
  116. #1.organizationName_default = World Wide Web Pty Ltd
  117. organizationalUnitName = Organizational Unit Name (eg, section)
  118. #organizationalUnitName_default =
  119. commonName = Common Name (e.g. server FQDN or YOUR name)
  120. commonName_max = 64
  121. emailAddress = Email Address
  122. emailAddress_max = 64
  123. # SET-ex3 = SET extension number 3
  124. [ req_attributes ]
  125. challengePassword = A challenge password
  126. challengePassword_min = 4
  127. challengePassword_max = 20
  128. unstructuredName = An optional company name
  129. [ usr_cert ]
  130. # These extensions are added when 'ca' signs a request.
  131. # This goes against PKIX guidelines but some CAs do it and some software
  132. # requires this to avoid interpreting an end user certificate as a CA.
  133. basicConstraints=CA:FALSE
  134. # Here are some examples of the usage of nsCertType. If it is omitted
  135. # the certificate can be used for anything *except* object signing.
  136. # This is OK for an SSL server.
  137. # nsCertType = server
  138. # For an object signing certificate this would be used.
  139. # nsCertType = objsign
  140. # For normal client use this is typical
  141. # nsCertType = client, email
  142. # and for everything including object signing:
  143. # nsCertType = client, email, objsign
  144. # This is typical in keyUsage for a client certificate.
  145. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  146. # This will be displayed in Netscape's comment listbox.
  147. nsComment = "OpenSSL Generated Certificate"
  148. # PKIX recommendations harmless if included in all certificates.
  149. subjectKeyIdentifier=hash
  150. authorityKeyIdentifier=keyid,issuer
  151. # This stuff is for subjectAltName and issuerAltname.
  152. # Import the email address.
  153. # subjectAltName=email:copy
  154. # An alternative to produce certificates that aren't
  155. # deprecated according to PKIX.
  156. # subjectAltName=email:move
  157. # Copy subject details
  158. # issuerAltName=issuer:copy
  159. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  160. #nsBaseUrl
  161. #nsRevocationUrl
  162. #nsRenewalUrl
  163. #nsCaPolicyUrl
  164. #nsSslServerName
  165. # This is required for TSA certificates.
  166. extendedKeyUsage = critical,timeStamping
  167. [ v3_req ]
  168. # Extensions to add to a certificate request
  169. basicConstraints = CA:FALSE
  170. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  171. subjectAltName = @alt_names
  172. [ alt_names ]
  173. URI.1 = urn:neuron.client.application
  174. DNS.1 = localhost
  175. #DNS.2 = localhost
  176. IP.1 = 127.0.0.1
  177. #IP.2 = 0.0.0.0
  178. [ v3_ca ]
  179. # Extensions for a typical CA
  180. # PKIX recommendation.
  181. subjectKeyIdentifier=hash
  182. authorityKeyIdentifier=keyid:always,issuer
  183. # This is what PKIX recommends but some broken software chokes on critical
  184. # extensions.
  185. #basicConstraints = critical,CA:true
  186. # So we do this instead.
  187. basicConstraints = CA:false
  188. # Key usage: this is typical for a CA certificate. However since it will
  189. # prevent it being used as an test self-signed certificate it is best
  190. # left out by default.
  191. # keyUsage = cRLSign, keyCertSign
  192. keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
  193. extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
  194. # Some might want this also
  195. # nsCertType = sslCA, emailCA
  196. # Include email address in subject alt name: another PKIX recommendation
  197. # subjectAltName=email:copy
  198. # Copy issuer details
  199. # issuerAltName=issuer:copy
  200. # DER hex encoding of an extension: beware experts only!
  201. # obj=DER:02:03
  202. # Where 'obj' is a standard or added object
  203. # You can even override a supported extension:
  204. # basicConstraints= critical, DER:30:03:01:01:FF
  205. subjectAltName = @alt_names
  206. [ crl_ext ]
  207. # CRL extensions.
  208. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  209. # issuerAltName=issuer:copy
  210. authorityKeyIdentifier=keyid:always
  211. [ proxy_cert_ext ]
  212. # These extensions should be added when creating a proxy certificate
  213. # This goes against PKIX guidelines but some CAs do it and some software
  214. # requires this to avoid interpreting an end user certificate as a CA.
  215. basicConstraints=CA:FALSE
  216. # Here are some examples of the usage of nsCertType. If it is omitted
  217. # the certificate can be used for anything *except* object signing.
  218. # This is OK for an SSL server.
  219. # nsCertType = server
  220. # For an object signing certificate this would be used.
  221. # nsCertType = objsign
  222. # For normal client use this is typical
  223. # nsCertType = client, email
  224. # and for everything including object signing:
  225. # nsCertType = client, email, objsign
  226. # This is typical in keyUsage for a client certificate.
  227. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  228. # This will be displayed in Netscape's comment listbox.
  229. nsComment = "OpenSSL Generated Certificate"
  230. # PKIX recommendations harmless if included in all certificates.
  231. subjectKeyIdentifier=hash
  232. authorityKeyIdentifier=keyid,issuer
  233. # This stuff is for subjectAltName and issuerAltname.
  234. # Import the email address.
  235. # subjectAltName=email:copy
  236. # An alternative to produce certificates that aren't
  237. # deprecated according to PKIX.
  238. # subjectAltName=email:move
  239. # Copy subject details
  240. # issuerAltName=issuer:copy
  241. #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
  242. #nsBaseUrl
  243. #nsRevocationUrl
  244. #nsRenewalUrl
  245. #nsCaPolicyUrl
  246. #nsSslServerName
  247. # This really needs to be in place for it to be a proxy certificate.
  248. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
  249. ####################################################################
  250. [ tsa ]
  251. default_tsa = tsa_config1 # the default TSA section
  252. [ tsa_config1 ]
  253. # These are used by the TSA reply generation only.
  254. dir = ./demoCA # TSA root directory
  255. serial = $dir/tsaserial # The current serial number (mandatory)
  256. crypto_device = builtin # OpenSSL engine to use for signing
  257. signer_cert = $dir/tsacert.pem # The TSA signing certificate
  258. # (optional)
  259. certs = $dir/cacert.pem # Certificate chain to include in reply
  260. # (optional)
  261. signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
  262. default_policy = tsa_policy1 # Policy if request did not specify it
  263. # (optional)
  264. other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
  265. digests = md5, sha1 # Acceptable message digests (mandatory)
  266. accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
  267. clock_precision_digits = 0 # number of digits after dot. (optional)
  268. ordering = yes # Is ordering defined for timestamps?
  269. # (optional, default: no)
  270. tsa_name = yes # Must the TSA name be included in the reply?
  271. # (optional, default: no)
  272. ess_cert_id_chain = no # Must the ESS cert id chain be included?
  273. # (optional, default: no)