|
|
# Configure the certificate validation in S2OPC server / client
|
|
|
# Configure the certificate validation management in S2OPC server / client
|
|
|
|
|
|
In order to activate OPC UA secure communication (integrity and confidentiality) it is necessay to define in which cases a certificate will be valid for your application. A common way to achieve this goal is to define one or several Certificate Authorities (CAs) your application trusts, then all certificates signed by those CAs will be considered valid if security checks pass.
|
|
|
|
|
|
## Configure the certificate validation management in S2OPC
|
|
|
|
|
|
In order to activate secure communication in your S2OPC server or client
|
|
|
In order to activate secure communication (integrity and confidentiality) in your S2OPC server or client
|
|
|
you will need to configure a Public Key Infrastructure (PKI) provider to manage the peer certificate validation.
|
|
|
|
|
|
A default implementation of PKI provider is provided with S2OPC toolkit (see `csrc/crypto/sopc_pki_stack.h`), all you need is configure it for your needs.
|
|
|
|
|
|
### Default PKI provider principles
|
|
|
## Default PKI provider principles
|
|
|
|
|
|
The PKI verifies a certificate in the safest manner (whole certificate chain, with date validation, mandatory certificate revocation lists).
|
|
|
Certificate Authority (CA) requirements (such as the hash algorithm used for the signature) depend on the chosen OPC UA security policy.
|
... | ... | @@ -35,7 +31,7 @@ Finally the list of Certificate Revocation List (CRL) shall contain exactly one |
|
|
Issued certificates should not have CRLs, as they cannot be used to trust any other certificate. When an issued certificate is used to protect a Secure Channel, its signing chain will be verified.
|
|
|
For instance, if the certificate is not self signed and appears on the CRL of its signing CA, the connection will fail as the certificate is in fact invalid.
|
|
|
|
|
|
### Use server XML configuration to configure the PKI
|
|
|
## Use server XML configuration to configure the PKI
|
|
|
|
|
|
In order to configure the certificates provided to the PKI it is possible to use the S2OPC server XML configuration format (`schemas/s2opc_config.xsd`).
|
|
|
The XML configuration can be used to automatically configure the S2OPC demo server (see [Start S2OPC demo server wiki](https://gitlab.com/systerel/S2OPC/-/wikis/demo#start-opc-ua-demo-server))
|
... | ... | @@ -109,7 +105,7 @@ Note 2: Trusted intermediate CAs may also be defined as root CA in this configur |
|
|
|
|
|
Note: any other certificate than `myClient.der` signed by untrusted intermediate CAs will be refused since we only trust known issued certificates. The root CA certificate might also be untrusted, in this case all certificates directly signed by the root CA will be also refused.
|
|
|
|
|
|
### Configure a PKI manually
|
|
|
## Configure a PKI manually
|
|
|
|
|
|
If you implement your own server or client based on S2OPC toolkit you will need to instantiate the PKI using the function `SOPC_PKIProviderStack_CreateFromPaths`. The parameters content is the same as described for XML above and those can be instantiated from the XML itself on server side using `SOPC_Server_Config` structure content.
|
|
|
|
... | ... | |