Authenticating with OPC UA user certificate in QuickOPC

From OPC Labs Knowledge Base


This article describes the code and other steps needed to develop a client with QuickOPC that uses a user certificate to authenticate the use to the OPC UA server.

Basics

The concepts related to user authentication in OPC UA, including the use of X.509 certificate token as one of the alternatives here, are explained in the documentation: OPC UA User Authentication (Client).

Creating the user certificate

In most cases, the infrastructure for managing the user certificates will be a "given" and already in place; you will then simply take over the existing certificates.

Using OpenSSL command-line tool

For demonstration purposes, we can create a self-signed user certificate ourselves. We have done this on Windows with OpenSSL command-line tool, using the build of "Win64 OpenSSL v3.6.0" from https://slproweb.com/products/Win32OpenSSL.html . After installing it, we have created a file named CreateUserCertificate.cmd with following content: 

set openssl="C:\Program Files\OpenSSL-Win64\bin\openssl.exe"

%openssl% genrsa -out user_private_key.pem 2048
%openssl% req -x509 -new -nodes -key user_private_key.pem -days 365 -out user_certificate.pem -subj "/C=US/O=MyCompany/CN=John Doe" 
%openssl% x509 -in user_certificate.pem -outform der -out user_certificate.der
%openssl% pkcs12 -export -keypbe NONE -certpbe NONE -nomaciter -passout pass: -out user_certificate.pfx -inkey user_private_key.pem -in user_certificate.pem -name "John Doe"

The batch file first creates a new (public and) private key in the user_private_key.pem file. It then creates a user certificate and stores into the user_certificate.pem. Since the certificate might be needed in various forms, it then converts the certificate into user_certificate.pem (private key) and user_certificate.der files, and in the last statement to a user_certificate.pfx file which contains the certificate together with its private key.

User certificate in OPC UA client

Client code with QuickOPC

The code below connects to an OPC UA server, authenticating the user with a certificate from a given file. The endpoint URL, and the node ID used, are for the Prosys OPC UA Simulation Server, but they can be changed as needed to make the example work with other servers.

When successful, the example reads a node and displays its current data value. In case of an error, it displays the corresponding error message.

The example uses the user_certificate.pfx file, generated with the procedure described above, for the user certificate. The file must be present in the same directory where the program executable runs. 

using OpcLabs.EasyOpc.UA;
using OpcLabs.EasyOpc.UA.Extensions;
using OpcLabs.EasyOpc.UA.OperationModel;

var endpointDescriptor = new UAEndpointDescriptor("opc.tcp://localhost:53530/OPCUA/SimulationServer")
    .WithX509CertificateIdentity("user_certificate.pfx");

var client = new EasyUAClient();
try
{
    var attributeData = client.Read(
        endpointDescriptor, 
        "nsu=http://www.prosysopc.com/OPCUA/SimulationNodes/;i=1001");
    Console.WriteLine(attributeData);
}
catch (UAException uaException)
{
    Console.WriteLine($"*** {uaException.InnerException.Message}");
}
Console.ReadLine();

UaExpert

You can use UaExpert to verify whether the OPC UA server is configured properly, and the user certificate works as intended.

In the "Authentication Settings" control group shown when connecting to the server or configuring the connection properties, select "Certificate". For "Certificate", select the user_certificate.der file. For "Private Key", select the user_certificate.pem file.

Configuring the OPC UA server

Prosys OPC UA Simulation Server

We have tested with Prosys OPC UA Simulation Server version 5.6.0-6, on Windows.

The certificate store for user certificates is located under C:\Users\username\.prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA .

Steps to do:

  1. Menu: Options -> Switch to Expert Mode
  2. On Users tab: In User Authentication Methods, uncheck Anonymous.
  3. On Users tab: In User Authentication Methods, verify that Certificate is checked. If it is not, check it.
  4. If you have changed any settings in the steps above, then restart the server by closing the app, choosing to save the changes, and running it again.
  5. Copy the user certificate file in the DER format (in our example, the user_certificate.der file) to the certs subfolder of the server's user certificate store.

If everything is set up right, but you are getting BadIdentityTokenRejected errors reported by the client: From a discussion with Prosys developer, it appears that the server might be incorrectly refusing user certificates without key usage extensions that are required for application certificates. To work around this issue, in server menu, Options -> Preferences, and check Ignore Key Usage Certificate Checks (be aware that this also probably has effect on weakening the client instance certificate checks).

For troubleshooting, server logs can be found here: C:\Users\username\.prosysopc\prosys-opc-ua-simulation-server\log\simulationserver.log .

Retrieved from "https://kb.opclabs.com/index.php?title=Authenticating_with_OPC_UA_user_certificate_in_QuickOPC&oldid=7408"