Professional OPC
Development Tools

logos

Missing CertificateGenerator.exe; Using custom cert/key pair

More
14 Jun 2018 10:09 #6449 by support
Hello.

Regarding the configuration tool: I would expect that you can get it by downloading and installing ".NET Stack and Sample Applications", from opcfoundation.org/developer-tools/samples-and-tools-unified-...stack-and-sample-applications/ . But I have checked today and the download appears to be gone. Currently, to my knowledge, this means that the only way to get the tool is to get the sources form GitHub ( github.com/OPCFoundation/UA-.NET-Legacy ) and build them; it should be the "UA Configuration Tool.sln" solution.

Regarding the use of Windows Certificate Store: I have realized that the documentation is really lacking in this respect; all your questions make perfect sense, but are not covered in the User's Guide yet. This will improve in QuickOPC 2018.3. For now, I made the newly created parts of the doc (that are not yet released) available over our Knowledge Base: kb.opclabs.com/A_primer_on_OPC_UA_certificate_stores . There is the example you have asked for as well.

Best regards

Please Log in or Create an account to join the conversation.

More
13 Jun 2018 18:20 #6445 by chrisstankevitz
Thank you.

- Can you help me use the tool that comes with some OPC downloads to manage my QuickOPC keys/cert? (let me know if I misunderstood that). What is it called?

- How do I tell QuickOPC that I would like to use key/cert pair from the Windows Certificate Store? Do you have an example of that?

Thank you,

Chris

Please Log in or Create an account to join the conversation.

More
12 Jun 2018 12:26 #6430 by support
Hello. As with the other topic we have discussed here, QuickOPC relies on OPC Foundation code in this respect, and makes its own API around it. This is also the reason why the QuickOPC documentation on the topic is limited. I understand we should improve on that too.

I should have elaborated my reply more. Here are the missing bits:

Just to be clear, QuickOPC supports Windows certificate stores, and directory-based stores, and you can choose. We are talking directory-based stores now. Parts of the discussion applies to Windows cert stores as well, but not everything.

Each directory-based certificate store resides in folders and files in the underlying file system of the OS. The directory-based store has generally two sub-folders: "certs", and "private". The certificates *without* the private key go into the "certs" folder, in .DER format. The certificates *with* the private key go into the "private" folder. It is up to you to secure the folder well (each differently, probably!), using the file system permissions mechanism.

Passwords are not used with private keys. This is the way OPC Foundation code does it - even in their latest .NETStandard fork. I am not sure what the design decision behind this is; I plan to ask the person who designed it, inside OPC Foundation, later this year when I meet him.

You can manage the certificates in directories or Windows stores manually, OR you can use a GUI tool that comes with some OPC Foundation downloads. I wanted to put a link here but I cannot currently reach their site. If you need it, let me know and I will retry.

Best regards

Please Log in or Create an account to join the conversation.

More
11 Jun 2018 12:09 #6424 by chrisstankevitz
Thank you. Are you saying that I am supposed to put the private key into C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs?

What format should the private key be in? PFX? Should it be encrypted? If so, with what password? It seems weird that I would place an un-encrypted private key in that directory.

Thank you again,

Chris

Please Log in or Create an account to join the conversation.

More
11 Jun 2018 06:48 - 11 Jun 2018 06:49 #6419 by support
Hello.

Ad 1. The information you found int he User's Guide is obsolete, I apologize. I will make sure it gets updated in the next version. Under normal circumstances, you do not need CertificateGenerator.exe, and it is not placed physically onto the disk by QuickOPC. If you need it, it has to be obtained from OPC Foundation.

Ad 2. I hope following examples will explain it.
// This example demonstrates how to set the application name for the client certificate.
 
using System;
using OpcLabs.BaseLib.Instrumentation;
using OpcLabs.EasyOpc.UA;
 
namespace UADocExamples._UAApplicationParameters
{
    class ApplicationName
    {
        public static void Main1()
        {
            UAEndpointDescriptor endpointDescriptor =
                "opc.tcp://opcua.demo-this.com:51210/UA/SampleServer";
            // or "http://opcua.demo-this.com:51211/UA/SampleServer" (not in .NET Standard)
            // or "https://opcua.demo-this.com:51212/UA/SampleServer/"
 
            // Hook static events
            EasyUAClient.LogEntry += EasyUAClientOnLogEntry;
 
            try
            {
                // Set the application name, which determins the subject of the client certificate.
                // Note that this only works once in each host process.
                EasyUAClient.SharedParameters.EngineParameters.ApplicationParameters.ApplicationName = 
                    "QuickOPC - CSharp example application";
 
                // Do something - invoke an OPC read, to trigger some loggable entries.
                var client = new EasyUAClient();
                client.ReadValue(endpointDescriptor, "nsu=http://test.org/UA/Data/;i=10853");
 
                // The certificate will be located or created in a directory similar to:
                // C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs
                // or
                // C:\Users\All Users\OPC Foundation\CertificateStores\UA Applications\certs\
                // and its subject will be as given by the application name.
 
                Console.WriteLine("Processing log entry events for 10 seconds...");
                System.Threading.Thread.Sleep(10 * 1000);
 
                Console.WriteLine("Done.");
            }
            finally
            {
                // Unhook static events
                EasyUAClient.LogEntry -= EasyUAClientOnLogEntry;
            }
        }
 
        // Event handler for the LogEntry event.
        // Print the loggable entry containing client certificate parameters.
        private static void EasyUAClientOnLogEntry(object sender, LogEntryEventArgs logEntryEventArgs)
        {
            if (logEntryEventArgs.EventId == 161)
                Console.WriteLine(logEntryEventArgs);
        }
    }
}

QuickOPC first tries to find the certificate by the name you have given. If it finds it, it uses it. It will create a certificate with the given name if it does not find it.

Best regards
Last edit: 11 Jun 2018 06:49 by support.

Please Log in or Create an account to join the conversation.

More
10 Jun 2018 16:51 #6415 by chrisstankevitz
Hello,

1. Missing CertificateGenerator.exe

According to [1], I should have an application called `C:\Program Files (x86)\Common Files\OPC Foundation\UA\v1.0\Bin\Opc.Ua.CertificateGenerator.exe`.

The path does not exist. Where can I find CertificateGenerator.exe?

2. Custom Certificate/Key Pair

How do I ask QuickOPC to use a "custom" certificate and key that I generated through a "3rd party" process? I have been provided the certificate and key that I am to use, and I would like to "load it" into the QuickOPC "Certificate Store" so that my app will use it.

Thank you,

Chris

[1] www.opclabs.com/files/documents/QuickOpc/Latest/User's%20Guide-QuickOPC.pdf

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.185 seconds

      

 Recommend this on Google