... | ... | @@ -42,7 +42,7 @@ Examples of configuration extract for certificate validation: |
|
|
```xml
|
|
|
<ApplicationCertificates>
|
|
|
<ServerCertificate path="/certs/server/my_server_cert.der"/>
|
|
|
<ServerKey path="/cert/server/my_server_key/my_server_key.pem" encrypted=true/> <!-- encrypted=true to specify if the server private key is encrypted with AES-256-CBC-->
|
|
|
<ServerKey path="/cert/server/my_server_key/my_server_key.pem" encrypted=true/>
|
|
|
<TrustedIssuers>
|
|
|
<TrustedIssuer root="true" cert_path="/certs/PKI/trusted/myCompanyCA.der"
|
|
|
revocation_list_path="/certs/PKI/revoked/myCompanyCRL.der"/>
|
... | ... | @@ -53,7 +53,7 @@ Examples of configuration extract for certificate validation: |
|
|
```xml
|
|
|
<ApplicationCertificates>
|
|
|
<ServerCertificate path="/certs/server/my_server_cert.der"/>
|
|
|
<ServerKey path="/cert/server/my_server_key/my_server_key.pem" encrypted=true/> <!-- encrypted=true to specify if the server private key is encrypted with AES-256-CBC-->
|
|
|
<ServerKey path="/cert/server/my_server_key/my_server_key.pem" encrypted=true/>
|
|
|
<TrustedIssuers>
|
|
|
<!-- Intermediate CAs shall be provided in the order child to parent to be verified by default PKI -->
|
|
|
<TrustedIssuer root="false" cert_path="/certs/PKI/trusted/child2CA.der"
|
... | ... | @@ -73,7 +73,7 @@ Note 2: Trusted intermediate CAs may also be defined as root CA in this configur |
|
|
```xml
|
|
|
<ApplicationCertificates>
|
|
|
<ServerCertificate path="/certs/server/my_server_cert.der"/>
|
|
|
<ServerKey path="/cert/server/my_server_key/my_server_key.pem" encrypted=true/> <!-- encrypted=true to specify if the server private key is encrypted with AES-256-CBC-->
|
|
|
<ServerKey path="/cert/server/my_server_key/my_server_key.pem" encrypted=true/>
|
|
|
<IssuedCertificates>
|
|
|
<IssuedCertificate path="/certs/issued/myClient1CA.der"/>
|
|
|
<IssuedCertificate path="/certs/issued/myClient2CA.der"/>
|
... | ... | @@ -85,7 +85,7 @@ Note 2: Trusted intermediate CAs may also be defined as root CA in this configur |
|
|
```xml
|
|
|
<ApplicationCertificates>
|
|
|
<ServerCertificate path="/certs/server/my_server_cert.der"/>
|
|
|
<ServerKey path="/cert/server/my_server_key/my_server_key.pem" encrypted=true/> <!-- encrypted=true to specify if the server private key is encrypted with AES-256-CBC-->
|
|
|
<ServerKey path="/cert/server/my_server_key/my_server_key.pem" encrypted=true/>
|
|
|
<TrustedIssuers>
|
|
|
<TrustedIssuer root="true" cert_path="/certs/PKI/trusted/rootCA.der"
|
|
|
revocation_list_path="/certs/PKI/revoked/rootCRL.der"/>
|
... | ... | @@ -118,17 +118,15 @@ It is also possible to use function `SOPC_PKIProviderStack_Create` to create the |
|
|
The certificates and keys shall be generated for the server and client applications with configuration adapted to the deployment platform.
|
|
|
The certificate generation script and configuration files provided by S2OPC product should be used: https://gitlab.com/systerel/S2OPC/-/blob/master/samples/ClientServer/data/cert/
|
|
|
The following files shall be adapted:
|
|
|
- generate_certs.sh: the “-days” configuration shall be set to a value less than or equal to 1 or 2 years.
|
|
|
- cli_req.cnf: the “alternate_names” “URI” and “DNS.1” sections shall be changed using the hostname of the machine that will run the client applications instead of “localhost”.
|
|
|
- srv_req.cnf: the “alternate_names” “URI” and “DNS.1” sections shall be changed using the hostname of the machine that will run the server application instead of “localhost”.
|
|
|
|
|
|
Once modification done, the script “generate_certs.sh” should be called and the new certificate and keys are generated.
|
|
|
|
|
|
Private keys are encrypted using the AES-256 CBC algorithm. During execution of the script `generate_certs.sh`, passwords will be requested in an interactive and secure way from a terminal to encrypt the keys.
|
|
|
As explain in [Demo](/demo) you can adapt the script `generate_certs.sh` to change the encryption algorithm with one that is supported by S2OPC:
|
|
|
- AES-128, AES-128-CBC
|
|
|
- AES-192, AES-192-CBC
|
|
|
- AES-256, AES-256-CBC
|
|
|
- generate_certs.sh: the “-days” configuration shall be set to a value less than or equal to 1 or 2 years.
|
|
|
- cli_req.cnf: the “alternate_names” “URI” and “DNS.1” sections shall be changed using the hostname of the machine that will run the client applications instead of “localhost”.
|
|
|
- srv_req.cnf: the “alternate_names” “URI” and “DNS.1” sections shall be changed using the hostname of the machine that will run the server application instead of “localhost”.
|
|
|
|
|
|
Once modification done, the script `generate_certs.sh` should be called and the new certificate and keys are generated. The script encrypt the keys from a derived password thanks to the PBKDF1-MD5 algorithm.
|
|
|
The script `generate_certs.sh` can be used to generate new keys and can be modified to change the encryption algorithm with one that is supported by S2OPC:
|
|
|
- AES-128, AES-128-CBC
|
|
|
- AES-192, AES-192-CBC
|
|
|
- AES-256, AES-256-CBC
|
|
|
|
|
|
![Analytics](https://systerel-ga-beacon.appspot.com/UA-1802741-3/wiki/home?pixel&useReferer)
|
|
|
![Matomo](https://analytics.systerel.fr/matomo.php?idsite=5&rec=1&action_name=wiki/certificates+configuration) |
|
|
\ No newline at end of file |