2

i'm coding an OPC UA Client to connect to Sofnet (OPC Server from Siemens). The Server method to connect is SignAndEncrypt so i need a x509 certificate in "der" format.

I made my own self signed certificate with openssl but there is a field called "Subject Alt Names" in which i have to specify the URI's Application. I have seen that this field could be filled with a configuration file with openssl but when i create the cert i can't see the "Subject Alt Names".

Could someone help me to create the certificate or give me a clue to autenticate my OPC Client?

Thanks in advance.

Victor Valero Fernandez
  • 55
  • 2
  • 8
  • Are you using a toolkit or SDK to develop your client? These usually have documentation or code that helps with generating a certificate... – Kevin Herron May 14 '18 at 13:23

1 Answers1

7

You can make a bash file (ie: mkcert.sh) that will do all the process of :

  • Creating a 2048bits RSA key.
  • Create a Certificate Request.
  • Sign it your own key (self-signed certificate) and add the extra information from the extensions.cnf to the certificate
  • Get the PEM and DER version of your certificate (opt)

The bash file shall contain

openssl genrsa -out default_pk.pem 2048
openssl req -new -key default_pk.pem -out cert.csr -subj "/C=US/ST=NY/L=NY/O=Organization/OU=OrganizationUnit/CN={YOUR_IP}"
openssl x509 -req -days 3650 -extfile extensions.cnf -in cert.csr -signkey default_pk.pem -out public.pem
openssl x509 -in public.pem -inform PEM -out public.der -outform DER

Then you need the extensions.cnf file that contains the SubjectAltName info and some other information.

basicConstraints=CA:TRUE
authorityKeyIdentifier=keyid,issuer
keyUsage=dataEncipherment,keyEncipherment,nonRepudiation,digitalSignature,keyCertSign,cRLSign
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=URI:URN:{YOUR_IP}

Replace in both case {YOUR_IP} with your real OPC UA Client IP.

Camille G.
  • 3,058
  • 1
  • 25
  • 41