4

I'm working on a C# client for an OPC UA server. I'm not a paying member of the OPC Foundation, so I don't have access to the SDK. I'm using the sample applications and the .NET stack that are freely available.

One of the problems I'm facing is I don't have a security certificate. My client can connect to the server, but it does so in an unsecured mode. This results in not being able to access the databases on the server. I believe I'm missing a client side (and possibly also server side) certificate. I have full access to the server's administration, but I've been unable to figure out how to retrieve/generate the certificate. How do I do this?

Shaggydog
  • 3,456
  • 7
  • 33
  • 50

2 Answers2

4

In general how to get client certificate is OPC UA client application's responsibility. Usually if there is no certificate generated and configured, then the SDK creates default self-signed one. If you look at xml configuration file of the .NET UA application, then you should find place where certificate parameters are defined, and either it can be generated automatically. In order to communicate over secured mode, both client and server should trust to each other's certificates. If certificate stores are in file system, then trust for self-signed certificates can be set up by copying client certificate to server's trusted folder, and vise versa. Programmatically you can get server certificate by GetEndpoints call. Server can get client's certificate from OpenSecureChannel request.

Ravil
  • 81
  • 3
1

In the opc ua client from OPC foundation you can automatically create a self signed client certificate and accept the server certificate using this code:

          SecurityConfiguration = new SecurityConfiguration
            {
                ApplicationCertificate = new CertificateIdentifier { StoreType = @"Directory", StorePath = @"%CommonApplicationData%\OPC Foundation\CertificateStores\MachineDefault", SubjectName = "MyClient" },
                TrustedIssuerCertificates = new CertificateTrustList { StoreType = @"Directory", StorePath = @"%CommonApplicationData%\OPC Foundation\CertificateStores\UA Certificate Authorities" },
                TrustedPeerCertificates = new CertificateTrustList { StoreType = @"Directory", StorePath = @"%CommonApplicationData%\OPC Foundation\CertificateStores\UA Applications" },
                RejectedCertificateStore = new CertificateTrustList { StoreType = @"Directory", StorePath = @"%CommonApplicationData%\OPC Foundation\CertificateStores\RejectedCertificates" },
                AutoAcceptUntrustedCertificates = true
            },

application.CheckApplicationInstanceCertificate(false, 2048).GetAwaiter().GetResult();

You can also specify which certificate (a custom certificate) to use by changing the SubjectName to the CN of the certificate you want to use. Just make sure you put the private key in the private folder.

If you put the second parameter on true it will use security (certificates) when connection to your server.

var selectedEndpoint = CoreClientUtils.SelectEndpoint("opc.tcp://" + ip + ":" + port, true);
Victor Pieper
  • 540
  • 2
  • 17
  • Hey @Victor how are you setting up your session after specifying the certificate configuration? Auto generating the certs works fine, just like you described. But if i don't want to use anonymous connections, i need to specify a certificate when creating my 'UserIdentity'. How did you solve that ? – Pfanna Jun 01 '23 at 13:50
  • 1
    @Pfanna you can create a user identity without needing to specify the certificate. This is how I make my session: `UserIdentity user = new UserIdentity(username, password); EndpointConfiguration endpointConfiguration = EndpointConfiguration.Create(config); ConfiguredEndpoint endpoint = new(null, selectedEndpoint, endpointConfiguration); Session session = await Session.Create(config, endpoint, false, config.ApplicationName, 60000, user, null);` – Victor Pieper Jun 07 '23 at 06:35
  • Thanks a lot for replying :). Okay i see, you are using username/password authentication. Couldn't get my head around all the certificate stuff at first. Think i got it now, thanks. – Pfanna Jun 07 '23 at 06:43