|
# Configure the certificate validation in your OPC UA server / client
|
|
# Configure the certificate validation in your OPC UA server / client
|
|
|
|
|
|
In order to activate OPC UA secure communication (integrity and confidentiality) it is necessay to define in which cases a certificate will be valid for you application. A common way to achieve this goal is to define one or several Certificate Authorities (CAs) your application trusts, then all certificates signed by those CAs will be considered valid if security checks pass.
|
|
In order to activate OPC UA secure communication (integrity and confidentiality) it is necessay to define in which cases a certificate will be valid for your application. A common way to achieve this goal is to define one or several Certificate Authorities (CAs) your application trusts, then all certificates signed by those CAs will be considered valid if security checks pass.
|
|
|
|
|
|
## Reminder on the certificates constraints for OPC UA
|
|
## Reminder on the certificates constraints for OPC UA
|
|
|
|
|
... | @@ -27,17 +27,17 @@ Certificate Authority (CA) requirements (such as the hash algorithm used for the |
... | @@ -27,17 +27,17 @@ Certificate Authority (CA) requirements (such as the hash algorithm used for the |
|
There are 4 types of certificates to provide to the PKI:
|
|
There are 4 types of certificates to provide to the PKI:
|
|
* The "trusted issuers" are Certificate Authorities (CAs) from which issued certificates are also trusted. All the certificates of the signing chain including the root CA must be provided.
|
|
* The "trusted issuers" are Certificate Authorities (CAs) from which issued certificates are also trusted. All the certificates of the signing chain including the root CA must be provided.
|
|
* The "issued certificates" are certificates issued by untrusted CA. These certificates are considered themselves trustworthy (if the certificate properties and its signature are both valid).
|
|
* The "issued certificates" are certificates issued by untrusted CA. These certificates are considered themselves trustworthy (if the certificate properties and its signature are both valid).
|
|
* The "untrusted issuers" are CAs that are used to verify the signing chain of the "issued certificates". Each issued certificate must have its whole signing CA chain in the untrusted issuers or the trusted issuers up to the root CA.
|
|
* The "untrusted issuers" are CAs which are used to verify the signing chain of the "issued certificates". Each issued certificate must have its whole signing CA chain in the untrusted issuers or the trusted issuers up to the root CA.
|
|
|
|
|
|
Note: the difference between trusted **issuers** and trusted **issued** certificates is that issued certificates are trusted on a one by one basis, whereas the trusted issuer may emit a large number of trusted certificates.
|
|
Note: the difference between trusted **issuers** and trusted **issued** certificates is that issued certificates are trusted on a one by one basis, whereas the trusted issuer may emit a large number of trusted certificates.
|
|
Note 2: each CA shall be provided with an associated Certificate Revocation List (CRL) to be considered valid by the PKI. See details on CRL list below.
|
|
Note 2: each CA shall be provided with an associated Certificate Revocation List (CRL) to be considered valid by the PKI. See details on CRL list below.
|
|
|
|
|
|
In addition, there are two more concepts:
|
|
In addition, there are two more concepts:
|
|
* A link (or intermediate) CA is part of the certificate validation chain. All links between a certificate and a root certificate must be provided (and sorted in the order child to parent).
|
|
* A link (or intermediate) CA is part of the certificate validation chain. All links between a certificate and a root certificate must be provided (and sorted in child to parent order).
|
|
* A root CA is always trusted, even if there are other root CAs that signed it. Hence the parent of root CAs will never be checked, and the validation stops on root CAs.
|
|
* A root CA is always trusted, even if there are other root CAs that signed it. Hence the parent of root CAs will never be checked, and the validation stops on root CAs.
|
|
|
|
|
|
Finally the list of Certificate Revocation List (CRL) shall contain exactly one list for each CA of the provided CAs, either link or root, trusted or untrusted.
|
|
Finally the list of Certificate Revocation List (CRL) shall contain exactly one list for each CA of the provided CAs, either link or root, trusted or untrusted.
|
|
Issued certificates should not have CRLs, as they cannot be used to trust any other certificate. When an issued certificate is used to protect a Secure Channel, it's signing chain will be verified.
|
|
Issued certificates should not have CRLs, as they cannot be used to trust any other certificate. When an issued certificate is used to protect a Secure Channel, its signing chain will be verified.
|
|
For instance, if the certificate is not self signed and appears on the CRL of its signing CA, the connection will fail as the certificate is in fact invalid.
|
|
For instance, if the certificate is not self signed and appears on the CRL of its signing CA, the connection will fail as the certificate is in fact invalid.
|
|
|
|
|
|
### Use server XML configuration to configure the PKI
|
|
### Use server XML configuration to configure the PKI
|
... | @@ -69,12 +69,12 @@ Examples of configuration extract for certificate validation: |
... | @@ -69,12 +69,12 @@ Examples of configuration extract for certificate validation: |
|
revocation_list_path="/certs/PKI/revoked/child2CRL.der"/>
|
|
revocation_list_path="/certs/PKI/revoked/child2CRL.der"/>
|
|
<TrustedIssuer root="false" cert_path="/certs/PKI/trusted/child1CA.der"
|
|
<TrustedIssuer root="false" cert_path="/certs/PKI/trusted/child1CA.der"
|
|
revocation_list_path="/certs/PKI/revoked/child1CRL.der"/>
|
|
revocation_list_path="/certs/PKI/revoked/child1CRL.der"/>
|
|
<TrustedIssuer root="true" cert_path="/certs/PKI/trusted/myCompanyCA.der"
|
|
<TrustedIssuer root="true" cert_path="/certs/PKI/trusted/rootCA.der"
|
|
revocation_list_path="/certs/PKI/revoked/myCompanyCRL.der"/>
|
|
revocation_list_path="/certs/PKI/revoked/rootCA.der"/>
|
|
</TrustedIssuers>
|
|
</TrustedIssuers>
|
|
</ApplicationCertificates>
|
|
</ApplicationCertificates>
|
|
```
|
|
```
|
|
Note 1: Intermediate CAs (non root CA) shall be provided in the order child to parent, several chains can be provided as long as it complies with the child to parent order in each chain.
|
|
Note 1: Intermediate CAs (non root CA) shall be provided in child to parent order, several chains can be provided as long as it complies with the child to parent order in each chain.
|
|
|
|
|
|
Note 2: Trusted intermediate CAs may also be defined as root CA in this configuration, in this case the chain will not be verified by PKI since any certificate signed by one of the CA defined as root will be accepted without checking signature of the root certificate.
|
|
Note 2: Trusted intermediate CAs may also be defined as root CA in this configuration, in this case the chain will not be verified by PKI since any certificate signed by one of the CA defined as root will be accepted without checking signature of the root certificate.
|
|
|
|
|
... | @@ -96,14 +96,14 @@ Note 2: Trusted intermediate CAs may also be defined as root CA in this configur |
... | @@ -96,14 +96,14 @@ Note 2: Trusted intermediate CAs may also be defined as root CA in this configur |
|
<ServerCertificate path="/certs/server/my_server_cert.der"/>
|
|
<ServerCertificate path="/certs/server/my_server_cert.der"/>
|
|
<ServerKey path="/cert/server/my_server_key/my_server_key.pem"/>
|
|
<ServerKey path="/cert/server/my_server_key/my_server_key.pem"/>
|
|
<TrustedIssuers>
|
|
<TrustedIssuers>
|
|
<TrustedIssuer root="true" cert_path="/certs/PKI/trusted/myCompanyCA.der"
|
|
<TrustedIssuer root="true" cert_path="/certs/PKI/trusted/rootCA.der"
|
|
revocation_list_path="/certs/PKI/revoked/myCompanyCRL.der"/>
|
|
revocation_list_path="/certs/PKI/revoked/rootCA.der"/>
|
|
</TrustedIssuers>
|
|
</TrustedIssuers>
|
|
<UntrustedIssuers>
|
|
<UntrustedIssuers>
|
|
<!-- Intermediate CAs shall be provided in the order child to parent -->
|
|
<!-- Intermediate CAs shall be provided in the order child to parent -->
|
|
<TrustedIssuer root="false" cert_path="/certs/PKI/trusted/child2CA.der"
|
|
<UntrustedIssuer root="false" cert_path="/certs/PKI/trusted/child2CA.der"
|
|
revocation_list_path="/certs/PKI/revoked/child2CRL.der"/>
|
|
revocation_list_path="/certs/PKI/revoked/child2CRL.der"/>
|
|
<TrustedIssuer root="false" cert_path="/certs/PKI/trusted/child1CA.der"
|
|
<UntrustedIssuer root="false" cert_path="/certs/PKI/trusted/child1CA.der"
|
|
revocation_list_path="/certs/PKI/revoked/child1CRL.der"/>
|
|
revocation_list_path="/certs/PKI/revoked/child1CRL.der"/>
|
|
</UntrustedIssuers>
|
|
</UntrustedIssuers>
|
|
<IssuedCertificates>
|
|
<IssuedCertificates>
|
... | | ... | |