Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

Generate OPC UA certificate using OpenSSL 1.1.1f

More
23 Feb 2022 15:28 #10650 by support
Hello.

Yes, currently QuickOPC's auto-generated certificates have lifetime of 50 years (600 months) when targeting .NET framework; and 1 year (12 months) when targeting .NEt Standard.

It is not clear to me what do you mean by "...opc.ua.certificategenerator, ... this tool is not supported anymore". The tools comes from OPC Foundation, and the foundation has never supported it, same as with any other code. It only gets supported if some vendor, an OPC member, decides to support it. The tools works and I do not see a reason not to use it.

We are no OpenSSL experts here so I am afraid I cannot dig into the details of the OpenSSL.

But, please share what have you done after you have created the certificate. What are the file names and where have you placed the files? Getting this wrong might be the cause.

Best regards

Please Log in or Create an account to join the conversation.

More
22 Feb 2022 13:40 - 22 Feb 2022 14:03 #10648 by Tjall
My application can't use the auto-generated certificate due to only 1 year validity. I am able to generate cert's with longer validity using opc.ua.certificategenerator, but since this tool is not supported anymore, and since it's only using openssl, I am eager to learn how I can do this manually using openssl.

I have made a bash file that I run in WSL:
openssl genrsa -out default_pk.pem 2048
 
openssl req -new -key default_pk.pem -out cert.csr \
-subj "/CN={MyApp}/"
 
openssl x509 -req -days 760 -extfile extensions.cnf -in cert.csr \
-signkey default_pk.pem -out public.pem
 
openssl x509 -in public.pem -inform PEM -out public.der -outform DER
With a extensions.cnf config file like this:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName=@alt_names
basicConstraints=CA:FALSE
keyUsage=dataEncipherment,keyEncipherment,nonRepudiation,digitalSignature,keyCertSign,cRLSign
extendedKeyUsage=serverAuth,clientAuth
 
[alt_names]
URI = URN:Localhost:{MyApp}:1.0.0.0:neutral:null
DNS.1 = Localhost
The error message I receive is this:
[14:58:32 ERR] The OPC-UA engine failed to connect to the underlying subsystems.
  OPC-UA service result - Cannot access certificate private key. Subject=CN={MyApp} = BadConfigurationError.
---- SERVICE RESULT ----
Status Code: {BadConfigurationError} = 0x80890000 (2156462080)
Description: Cannot access certificate private key. Subject=CN={MyApp}
 
+ The SDK action called was "ApplicationInstance.CheckApplicationInstanceCertificate".
+ Following (2) events were gathered during the action on activity ID [4], in the order of first occurrence:
  SDK trace: Checking application instance certificate.
  Exception: {Opc.Ua.ServiceResultException} Cannot access certificate private key. Subject=CN={MyApp}
+ The error occurred while creating or checking the (client) application instance certificate. Check event log entries for errors and warnings.
+ This is an engine-level error.. <s:OpcLabs.EasyOpc.UA.EasyUAClient>
I have tried to follow the requirements of the Application Instance Certificate , and compare these with the properties of an auto-generated certificate without any luck. Have also been running in elevated mode without any difference.

Is there anyone out there that have figured out a way to generate certificates for the EasyUAClient?
Last edit: 22 Feb 2022 14:03 by Tjall. Reason: Added error message print out

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.054 seconds