Connection policy

Client login mode

  • Anonymous mode

    The anonymous login option must be enabled on the OPC UA server.

    The Neuron OPC UA module requires no user name/password and certificate/key.

  • User name/password mode

    The user name and password that have access permission have been created on the OPC UA server.

    Neuron OPC UA module fills in corresponding user name/password without adding certificate/key.

  • Certificate/key + anonymous mode

    OPC UA Enable appropriate security Settings on the server, add the client certificate to the trusted list, and enable anonymous login.

    Neuron OPC UA module adds corresponding client certificate/key without filling in user name/password.

  • Certificate/key + user name/password mode

    On the OPC UA server, you have created a user name and password with the access permission, enabled appropriate security Settings, and added the client certificate to the trust list.

    Neuron OPC UA module adds corresponding user name/password and corresponding client certificate/key.

Client certificate requirements

OPC UA Users can log in to the OPC UA server using a self-signed Certificate. The certificate and Key must meet the following conditions:

  • CERTIFICATE and KEYFILE must be set together.

  • Certificate must be generated in standard X.509v3.

  • The SAN field in Certficate must contain URI:urn:xxx.xxx.xxxxxx is the custom part.

  • The Certificate file and Key file must be encoded in DER format.

The certificate file can be imported into the target server in advance and set as trusted, or it can be automatically submitted after being set by Neuron and set as trusted by the server.

Client certificate/key conversion

You can use the following steps and commands to convert the PEM certificate and private key to DER format:

  1. Save all contents including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- as 1.crt;

  2. Save all contents including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- as 1.key;

  3. Run the following command:

  1. $ openssl x509 -in 1.crt -outform der -out cert.der   
  2. $ openssl rsa -inform PEM -in 1.key -outform DER -out key.der

Generate a client certificate/key

The generation mode on Windows, Linux, and Mac OS systems is the same.

  1. $ openssl req -config localhost.cnf -new -nodes -x509 -sha256 -newkey rsa:2048 -keyout localhost.key -days 365 -subj "/C=DE/O=neuron/CN=NeuronClient@localhost" -out localhost.crt
  2. $ openssl x509 -in localhost.crt -outform der -out client_cert.der
  3. openssl rsa -inform PEM -in localhost.key -outform DER -out client_key.der
  4. $ rm localhost.crt
  5. $ rm localhost.key

-days can set the value as desired.

The *.cnf file specified by -config can be modified using the file attachment localhost.cnf in the next section and needs to contain the following configuration section:

  1. [ v3_req ]
  3. # Extensions to add to a certificate request
  5. basicConstraints = CA:FALSE
  6. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  7. subjectAltName = @alt_names
  9. [ alt_names ]
  10. URI.1 = urn:xxx.xxx.xxx
  11. DNS.1 = localhost
  12. #DNS.2 = localhost
  13. IP.1 = 127.0.0.1
  14. #IP.2 = 0.0.0.0

Attachment localhost.cnf

  1. #
  2. # OpenSSL example configuration file.
  3. # This is mostly being used for generation of certificate requests.
  4. #
  6. # This definition stops the following lines choking if HOME isn't
  7. # defined.
  8. HOME            = .
  9. RANDFILE        = $ENV::HOME/.rnd
  11. # Extra OBJECT IDENTIFIER info:
  12. #oid_file        = $ENV::HOME/.oid
  13. oid_section        = new_oids
  15. # To use this configuration file with the "-extfile" option of the
  16. # "openssl x509" utility, name here the section containing the
  17. # X.509v3 extensions to use:
  18. # extensions        = 
  19. # (Alternatively, use a configuration file that has only
  20. # X.509v3 extensions in its main [= default] section.)
  22. [ new_oids ]
  24. # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
  25. # Add a simple OID like this:
  26. # testoid1=1.2.3.4
  27. # Or use config file substitution like this:
  28. # testoid2=${testoid1}.5.6
  30. # Policies used by the TSA examples.
  31. tsa_policy1 = 1.2.3.4.1
  32. tsa_policy2 = 1.2.3.4.5.6
  33. tsa_policy3 = 1.2.3.4.5.7
  35. ####################################################################
  36. [ ca ]
  37. default_ca    = CA_default        # The default ca section
  39. ####################################################################
  40. [ CA_default ]
  42. dir        = ./ca/            # Where everything is kept
  43. certs        = $dir/certs        # Where the issued certs are kept
  44. crl_dir        = $dir/crl        # Where the issued crl are kept
  45. database    = $dir/database.txt    # database index file.
  46. #unique_subject    = no            # Set to 'no' to allow creation of
  47.                     # several ctificates with same subject.
  48. new_certs_dir    = $dir/newcerts        # default place for new certs.
  50. certificate    = $dir/ca.crt         # The CA certificate
  51. serial        = $dir/serial         # The current serial number
  52. crlnumber    = $dir/crlnumber    # the current crl number
  53.                     # must be commented out to leave a V1 CRL
  54. crl        = $dir/crl.pem         # The current CRL
  55. private_key    = $dir/ca.key         # The private key
  56. RANDFILE    = $dir/.rand        # private random number file
  58. x509_extensions    = usr_cert        # The extensions to add to the cert
  60. # Comment out the following two lines for the "traditional"
  61. # (and highly broken) format.
  62. name_opt     = ca_default        # Subject Name options
  63. cert_opt     = ca_default        # Certificate field options
  65. # Extension copying option: use with caution.
  66. # copy_extensions = copy
  68. # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
  69. # so this is commented out by default to leave a V1 CRL.
  70. # crlnumber must also be commented out to leave a V1 CRL.
  71. crl_extensions    = crl_ext
  73. default_days    = 365            # how long to certify for
  74. default_crl_days= 30            # how long before next CRL
  75. default_md    = default        # use public key default MD
  76. preserve    = no            # keep passed DN ordering
  78. # A few difference way of specifying how similar the request should look
  79. # For type CA, the listed attributes must be the same, and the optional
  80. # and supplied fields are just that :-)
  81. policy        = policy_match
  83. # For the CA policy
  84. [ policy_match ]
  85. countryName        = match
  86. stateOrProvinceName    = match
  87. organizationName    = match
  88. organizationalUnitName    = optional
  89. commonName        = supplied
  90. emailAddress        = optional
  92. # For the 'anything' policy
  93. # At this point in time, you must list all acceptable 'object'
  94. # types.
  95. [ policy_anything ]
  96. countryName        = optional
  97. stateOrProvinceName    = optional
  98. localityName        = optional
  99. organizationName    = optional
  100. organizationalUnitName    = optional
  101. commonName        = supplied
  102. emailAddress        = optional
  104. ####################################################################
  105. [ req ]
  106. default_bits        = 2048
  107. default_keyfile     = privkey.pem
  108. distinguished_name    = req_distinguished_name
  109. attributes        = req_attributes
  110. x509_extensions    = v3_ca    # The extensions to add to the self signed cert
  112. # Passwords for private keys if not present they will be prompted for
  113. # input_password = secret
  114. # output_password = secret
  116. # This sets a mask for permitted string types. There are several options. 
  117. # default: PrintableString, T61String, BMPString.
  118. # pkix     : PrintableString, BMPString (PKIX recommendation before 2004)
  119. # utf8only: only UTF8Strings (PKIX recommendation after 2004).
  120. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
  121. # MASK:XXXX a literal mask value.
  122. # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
  123. string_mask = utf8only
  125. req_extensions = v3_req # The extensions to add to a certificate request
  127. [ req_distinguished_name ]
  128. countryName            = Country Name (2 letter code)
  129. countryName_default        = AU
  130. countryName_min            = 2
  131. countryName_max            = 2
  133. stateOrProvinceName        = State or Province Name (full name)
  134. stateOrProvinceName_default    = Some-State
  136. localityName            = Locality Name (eg, city)
  138. 0.organizationName        = Organization Name (eg, company)
  139. 0.organizationName_default    = Internet Widgits Pty Ltd
  141. # we can do this but it is not needed normally :-)
  142. #1.organizationName        = Second Organization Name (eg, company)
  143. #1.organizationName_default    = World Wide Web Pty Ltd
  145. organizationalUnitName        = Organizational Unit Name (eg, section)
  146. #organizationalUnitName_default    =
  148. commonName            = Common Name (e.g. server FQDN or YOUR name)
  149. commonName_max            = 64
  151. emailAddress            = Email Address
  152. emailAddress_max        = 64
  154. # SET-ex3            = SET extension number 3
  156. [ req_attributes ]
  157. challengePassword        = A challenge password
  158. challengePassword_min        = 4
  159. challengePassword_max        = 20
  161. unstructuredName        = An optional company name
  163. [ usr_cert ]
  165. # These extensions are added when 'ca' signs a request.
  167. # This goes against PKIX guidelines but some CAs do it and some software
  168. # requires this to avoid interpreting an end user certificate as a CA.
  170. basicConstraints=CA:FALSE
  172. # Here are some examples of the usage of nsCertType. If it is omitted
  173. # the certificate can be used for anything *except* object signing.
  175. # This is OK for an SSL server.
  176. # nsCertType            = server
  178. # For an object signing certificate this would be used.
  179. # nsCertType = objsign
  181. # For normal client use this is typical
  182. # nsCertType = client, email
  184. # and for everything including object signing:
  185. # nsCertType = client, email, objsign
  187. # This is typical in keyUsage for a client certificate.
  188. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  190. # This will be displayed in Netscape's comment listbox.
  191. nsComment            = "OpenSSL Generated Certificate"
  193. # PKIX recommendations harmless if included in all certificates.
  194. subjectKeyIdentifier=hash
  195. authorityKeyIdentifier=keyid,issuer
  197. # This stuff is for subjectAltName and issuerAltname.
  198. # Import the email address.
  199. # subjectAltName=email:copy
  200. # An alternative to produce certificates that aren't
  201. # deprecated according to PKIX.
  202. # subjectAltName=email:move
  204. # Copy subject details
  205. # issuerAltName=issuer:copy
  207. #nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem
  208. #nsBaseUrl
  209. #nsRevocationUrl
  210. #nsRenewalUrl
  211. #nsCaPolicyUrl
  212. #nsSslServerName
  214. # This is required for TSA certificates.
  215. extendedKeyUsage = critical,timeStamping
  217. [ v3_req ]
  219. # Extensions to add to a certificate request
  221. basicConstraints = CA:FALSE
  222. keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  223. subjectAltName = @alt_names
  225. [ alt_names ]
  226. URI.1 = urn:neuron.client.application
  227. DNS.1 = localhost
  228. #DNS.2 = localhost
  229. IP.1 = 127.0.0.1
  230. #IP.2 = 0.0.0.0
  232. [ v3_ca ]
  235. # Extensions for a typical CA
  238. # PKIX recommendation.
  240. subjectKeyIdentifier=hash
  242. authorityKeyIdentifier=keyid:always,issuer
  244. # This is what PKIX recommends but some broken software chokes on critical
  245. # extensions.
  246. #basicConstraints = critical,CA:true
  247. # So we do this instead.
  248. basicConstraints = CA:false
  250. # Key usage: this is typical for a CA certificate. However since it will
  251. # prevent it being used as an test self-signed certificate it is best
  252. # left out by default.
  253. # keyUsage = cRLSign, keyCertSign
  255. keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
  256. extendedKeyUsage = TLS Web Server Authentication, TLS Web Client Authentication
  258. # Some might want this also
  259. # nsCertType = sslCA, emailCA
  261. # Include email address in subject alt name: another PKIX recommendation
  262. # subjectAltName=email:copy
  263. # Copy issuer details
  264. # issuerAltName=issuer:copy
  266. # DER hex encoding of an extension: beware experts only!
  267. # obj=DER:02:03
  268. # Where 'obj' is a standard or added object
  269. # You can even override a supported extension:
  270. # basicConstraints= critical, DER:30:03:01:01:FF
  272. subjectAltName         = @alt_names
  274. [ crl_ext ]
  276. # CRL extensions.
  277. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
  279. # issuerAltName=issuer:copy
  280. authorityKeyIdentifier=keyid:always
  282. [ proxy_cert_ext ]
  283. # These extensions should be added when creating a proxy certificate
  285. # This goes against PKIX guidelines but some CAs do it and some software
  286. # requires this to avoid interpreting an end user certificate as a CA.
  288. basicConstraints=CA:FALSE
  290. # Here are some examples of the usage of nsCertType. If it is omitted
  291. # the certificate can be used for anything *except* object signing.
  293. # This is OK for an SSL server.
  294. # nsCertType            = server
  296. # For an object signing certificate this would be used.
  297. # nsCertType = objsign
  299. # For normal client use this is typical
  300. # nsCertType = client, email
  302. # and for everything including object signing:
  303. # nsCertType = client, email, objsign
  305. # This is typical in keyUsage for a client certificate.
  306. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
  308. # This will be displayed in Netscape's comment listbox.
  309. nsComment            = "OpenSSL Generated Certificate"
  311. # PKIX recommendations harmless if included in all certificates.
  312. subjectKeyIdentifier=hash
  313. authorityKeyIdentifier=keyid,issuer
  315. # This stuff is for subjectAltName and issuerAltname.
  316. # Import the email address.
  317. # subjectAltName=email:copy
  318. # An alternative to produce certificates that aren't
  319. # deprecated according to PKIX.
  320. # subjectAltName=email:move
  322. # Copy subject details
  323. # issuerAltName=issuer:copy
  325. #nsCaRevocationUrl        = http://www.domain.dom/ca-crl.pem
  326. #nsBaseUrl
  327. #nsRevocationUrl
  328. #nsRenewalUrl
  329. #nsCaPolicyUrl
  330. #nsSslServerName
  332. # This really needs to be in place for it to be a proxy certificate.
  333. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
  335. ####################################################################
  336. [ tsa ]
  338. default_tsa = tsa_config1    # the default TSA section
  340. [ tsa_config1 ]
  342. # These are used by the TSA reply generation only.
  343. dir        = ./demoCA        # TSA root directory
  344. serial        = $dir/tsaserial    # The current serial number (mandatory)
  345. crypto_device    = builtin        # OpenSSL engine to use for signing
  346. signer_cert    = $dir/tsacert.pem     # The TSA signing certificate
  347.                     # (optional)
  348. certs        = $dir/cacert.pem    # Certificate chain to include in reply
  349.                     # (optional)
  350. signer_key    = $dir/private/tsakey.pem # The TSA private key (optional)
  352. default_policy    = tsa_policy1        # Policy if request did not specify it
  353.                     # (optional)
  354. other_policies    = tsa_policy2, tsa_policy3    # acceptable policies (optional)
  355. digests        = md5, sha1        # Acceptable message digests (mandatory)
  356. accuracy    = secs:1, millisecs:500, microsecs:100    # (optional)
  357. clock_precision_digits  = 0    # number of digits after dot. (optional)
  358. ordering        = yes    # Is ordering defined for timestamps?
  359.                 # (optional, default: no)
  360. tsa_name        = yes    # Must the TSA name be included in the reply?
  361.                 # (optional, default: no)
  362. ess_cert_id_chain    = no    # Must the ESS cert id chain be included?
  363.                 # (optional, default: no)