A primer on OPC UA certificate stores: Difference between revisions
(Created page with "This page is a snapshot of the current state of several new articles from the QuickOPC 2018.3 documentation. <h1>Certificate Stores</h1> <h2>Certificate Store Types</h2> <p...") |
No edit summary |
||
(9 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
This page is a snapshot of the current state of several new articles from the QuickOPC 2018.3 documentation. | [[Category:Application note]] [[Category:OPC UA]] This page is a snapshot of the current state of several new articles from the QuickOPC 2018.3 documentation. | ||
<h1>Certificate Stores</h1> | <h1>Certificate Stores</h1> | ||
Line 5: | Line 5: | ||
<h2>Certificate Store Types</h2> | <h2>Certificate Store Types</h2> | ||
<p> | <p>QuickOPC can work with certificates located in <em>certificate stores</em>. Certificate stores are of different types; they are either:</p> | ||
<ul> | <ul> | ||
Line 13: | Line 13: | ||
</ul> | </ul> | ||
<p>For more details on each of these types, see | <p>For more details on each of these types, see Windows Certificate | ||
Stores | Stores and Directory Certificate Stores.</p> | ||
<h2>Certificate Store Path</h2> | <h2>Certificate Store Path</h2> | ||
Line 28: | Line 28: | ||
<li>Otherwise, the string denotes a certificate store located in a file system directory, and the value is equal to the directory path. The string can | <li>Otherwise, the string denotes a certificate store located in a file system directory, and the value is equal to the directory path. The string can | ||
contain replaceable <em>tokens</em> that refer to specific locations. For details, see | contain replaceable <em>tokens</em> that refer to specific locations. For details, see Directory Certificate Stores.</li> | ||
</ul> | </ul> | ||
<h2>Certificate Store Locations</h2> | <h2>Certificate Store Locations</h2> | ||
<p> | <p>QuickOPC uses several certificate stores for its operations. The location of the stores is given by various parameters. The stores are:</p> | ||
<ul> | <ul> | ||
<li><strong>Application certificate store</strong>. A client application created with | <li><strong>Application certificate store</strong>. A client application created with QuickOPC looks for or creates its own instance certificate | ||
here. The location of the store is controlled by | here. The location of the store is controlled by EasyUAClient.SharedParameters.EngineParameters.ApplicationParameters.ApplicationCertificateStore property. For | ||
more details, see Providing Client Instance Certificate. | |||
more details, see | |||
<span class="Highlight">The application instance certificates in this store include the private keys.</span></li> | <span class="Highlight">The application instance certificates in this store include the private keys.</span></li> | ||
Line 53: | Line 48: | ||
</ul> | </ul> | ||
<p>For details on rejected certificate store, trusted issuers certificate store and trusted peers certificate store, see | <p>For details on rejected certificate store, trusted issuers certificate store and trusted peers certificate store, see Trusting Server Instance Certificate and Trusting Server HTTPS Certificate.</p> | ||
<p> </p> | <p> </p> | ||
<p> | <p>When targeting .NET framework, by default, all certificates that QuickOPC works with are located in some directory-based certificate store. Specifically:</p> | ||
<ul> | <ul> | ||
Line 75: | Line 68: | ||
</ul> | </ul> | ||
<p> | <p>On Windows, the <strong>%</strong><strong>CommonApplicationData%</strong> token typically resolves to something like <strong>"C:\ProgramData"</strong>. | ||
See <a | See Directory Certificate Stores for more details.</p> | ||
<p>When targeting .NET 6+, all certificates that QuickOPC works with are located in a directory-based certificate store under the current working directory by default. Specifically:</p> | |||
<ul> | |||
<li>Default application certificate store is <strong>"%</strong><strong>LocalFolder%/</strong><strong>OPC | |||
Foundation/CertificateStores/MachineDefault"</strong>.</li> | |||
<li>Default rejected certificate store is <strong>"%</strong><strong>LocalFolder</strong><strong>%/OPC | |||
Foundation/CertificateStores/RejectedCertificates"</strong>.</li> | |||
<li>Default trusted issuers certificate store is <strong>"%</strong><strong>LocalFolder</strong><strong>%/OPC Foundation/CertificateStores/UA Certificate | |||
Authorities"</strong>.</li> | |||
<li>Default trusted peers certificate store is <strong>"%</strong><strong>LocalFolder</strong><strong>%/OPC Foundation/CertificateStores/UA | |||
Applications"</strong>.</li> | |||
</ul> | |||
<p>The <strong>%LocalFolder%</strong> token resolves to the current working directory of the application.</p> | |||
<h2>Certificate Store Security</h2> | <h2>Certificate Store Security</h2> | ||
<p>In a secure deployment, the certificate store itself (that is, read and write access to the certificates it contains) must be secured. | <p>In a secure deployment, the certificate store itself (that is, read and write access to the certificates it contains) must be secured. QuickOPC needs | ||
appropriate permissions to read from (and sometimes write to) the certificate stores. At the same time, access should be denied to unauthorized actors. | appropriate permissions to read from (and sometimes write to) the certificate stores. At the same time, access should be denied to unauthorized actors. | ||
This is most critical for the write access to the stores (and for read access to the private key parts). Securing the certificate stores is outside of | This is most critical for the write access to the stores (and for read access to the private key parts). Securing the certificate stores is outside of | ||
QuickOPC scope.</p> | |||
{{Warning|By default, the private keys in OPC UA certificate stores are not protected by passwords.}} | |||
<p> </p> | <p> </p> | ||
Line 95: | Line 103: | ||
<h2>Structure of the Directory Certificate Store</h2> | <h2>Structure of the Directory Certificate Store</h2> | ||
<p>As described in | <p>As described in Certificate Stores, <em>directory certificate stores</em> reside | ||
in a file system. In many cases, their structure can remain an opaque implementation detail to you. Knowing the structure comes handy if you need to deal with | in a file system. In many cases, their structure can remain an opaque implementation detail to you. Knowing the structure comes handy if you need to deal with | ||
them externally or manually.</p> | them externally or manually.</p> | ||
Line 105: | Line 113: | ||
<li>The <strong>"private"</strong> subdirectory (only in certificate stores which need it). Contains the certificate *with* private keys, in .PFX format. | <li>The <strong>"private"</strong> subdirectory (only in certificate stores which need it). Contains the certificate *with* private keys, in .PFX format. | ||
Instead of .PFX, it can also contain just the private key, in .PEM format ( | Instead of .PFX, it can also contain just the private key, in .PEM format (QuickOPC recognizes this but does not itself create files in directory | ||
certificate stores in this way).</li> | certificate stores in this way).</li> | ||
</ul> | </ul> | ||
Line 113: | Line 121: | ||
<p>The file name of each certificate comprises of the certificate common name (from its subject), followed by a space, and the certificate thumbprint in square | <p>The file name of each certificate comprises of the certificate common name (from its subject), followed by a space, and the certificate thumbprint in square | ||
brackets, e.g. <strong>"My Application [71511464F08D30AF9F9B2BC21CDB78D49BE568B8]"</strong>. Special characters (like <strong>< > : " / \ | ? | brackets, e.g. <strong>"My Application [71511464F08D30AF9F9B2BC21CDB78D49BE568B8]"</strong>. Special characters (like <strong>< > : " / \ | ? *</strong>) that cannot appear in file names are stripped off from the common name.</p> | ||
*</strong>) that cannot appear in file names are stripped off from the common name.</p> | |||
<h2>Syntax of Directory Certificate Store Path</h2> | <h2>Syntax of Directory Certificate Store Path</h2> | ||
Line 120: | Line 127: | ||
<p>In its simplest form, the directory certificate store path is an absolute path to the directory that holds the store, e.g. <strong>"C:\ProgramData\OPC | <p>In its simplest form, the directory certificate store path is an absolute path to the directory that holds the store, e.g. <strong>"C:\ProgramData\OPC | ||
Foundation\CertificateStores\MachineDefault"</strong>. Since absolute paths are not flexible enough and may fail to work when the application is transferred to | Foundation\CertificateStores\MachineDefault"</strong>. Since absolute paths are not flexible enough and may fail to work when the application is transferred to | ||
a computer with different configuration, | a computer with different configuration, QuickOPC allows you to include replaceable <em>tokens</em> in the directory certificate store path. A token is | ||
enclosed in percentage sign characters, e.g. <strong>%</strong><strong>CommonApplicationData%</strong>. For the token to be recognized, the directory | enclosed in percentage sign characters, e.g. <strong>%</strong><strong>CommonApplicationData%</strong>. For the token to be recognized, the directory | ||
certificate store path must begin directly with the token (the percent sign). Tokens are not recognized further down in the string.</p> | certificate store path must begin directly with the token (the percent sign). Tokens are not recognized further down in the string.</p> | ||
<p>The following | <p>The following three types of tokens can be used. QuickOPC searches for them from top to bottom.</p> | ||
<ul> | <ul> | ||
<li><strong>Special folders</strong>. Any enumerated constant name from the .NET <span class="Identifier">Environment</span>.<span class= | <li><strong>Special folders</strong>. Any enumerated constant name from the .NET <span class="Identifier">Environment</span>.<span class= | ||
"Identifier">SpecialFolder</span> enumeration ( | "Identifier">SpecialFolder</span> enumeration (https://docs.microsoft.com/en-us/dotnet/api/system.environment.specialfolder ) | ||
can be used as a token. The token is replaced by the absolute path of the corresponding special folder. Not all available special folders make sense with | can be used as a token. The token is replaced by the absolute path of the corresponding special folder. Not all available special folders make sense with | ||
OPC UA, but the following ones are good candidates: <span class="Identifier">CommonApplicationData</span>, <span class= | OPC UA, but the following ones are good candidates: <span class="Identifier">CommonApplicationData</span>, <span class= | ||
Line 136: | Line 142: | ||
<li><strong>Environment variables</strong>. These are the operating system environment variable names, as available to the current process. The value of | <li><strong>Environment variables</strong>. These are the operating system environment variable names, as available to the current process. The value of | ||
the environment variable is retrieved, and replaces the token.</li> | the environment variable is retrieved, and replaces the token.</li> | ||
<li>On .NET 6+ development platform only: "<strong>%LocalFolder%</strong>" (case sensitive). The current working directory of the application replaces the token. The string does not end with a backslash (\) or a slash (/).</li> | |||
</ul> | </ul> | ||
<p>If the token name is not recognized, the token is replaced by an empty string (i.e. the token is removed).</p> | <p>If the token name is not recognized, the token is replaced by an empty string (i.e. the token is removed).</p> | ||
<p> | <p>When targeting .NET Framework (as opposed to .NET 6+), the default directory certificate store paths all start with the <strong>%</strong><strong>CommonApplicationData%</strong> token, which typically | ||
resolves to something like <strong>"C:\ProgramData"</strong>.</p> | resolves to something like <strong>"C:\ProgramData"</strong>.</p> | ||
Line 149: | Line 157: | ||
<p> </p> | <p> </p> | ||
<h1>Windows Certificate Stores</h1> | <h1>Windows Certificate Stores</h1> | ||
<p>The Windows Certificate Stores are implemented and maintained by the Windows operating system. As explained in | <p>The Windows Certificate Stores are implemented and maintained by the Windows operating system. As explained in Certificate Stores, you specify the Windows certificate store by starting the certificate store path by either | ||
<strong>"LocalMachine\"</strong> or <strong>"CurrentUser\"</strong>.</p> | <strong>"LocalMachine\"</strong> or <strong>"CurrentUser\"</strong>.</p> | ||
Line 164: | Line 171: | ||
<p>The store name follows the prefix.</p> | <p>The store name follows the prefix.</p> | ||
{{Note| | |||
To manage the local computer certificates, type {{Style=keyboard|certlm.msc}} into the Windows search box, and press Enter. You will need administrative privileges to manage the local computer certificates.<br/> | |||
To manage the certificates for the current user, type {{Style=keyboard|certmgr.msc}} into the Windows search box, and press Enter.<br/> | |||
Note, however, that the logical store names displayed by the management console are not the same as the physical certificate store names, and that some stores may not be displayed at all. | |||
}} | |||
<p> </p> | |||
<syntaxhighlight lang="C#"> | |||
// This example demonstrates how to place the client certificate in the Windows certificate store. | |||
using System; | |||
using OpcLabs.EasyOpc.UA; | |||
namespace UADocExamples._UAApplicationParameters | |||
{ | |||
class ApplicationCertificateStore | |||
{ | |||
public static void Windows() | |||
{ | |||
UAEndpointDescriptor endpointDescriptor = | |||
"opc.tcp://opcua.demo-this.com:51210/UA/SampleServer"; | |||
// or "http://opcua.demo-this.com:51211/UA/SampleServer" (not in .NET Standard) | |||
// or "https://opcua.demo-this.com:51212/UA/SampleServer/" | |||
// Set the application certificate store path, which determines the location of the client certificate. | |||
// Note that this only works once in each host process. | |||
EasyUAClient.SharedParameters.EngineParameters.ApplicationParameters.ApplicationCertificateStore = "CurrentUser\\My"; | |||
// Do something - invoke an OPC read, to trigger creation of the certificate. | |||
var client = new EasyUAClient(); | |||
client.ReadValue(endpointDescriptor, "nsu=http://test.org/UA/Data/;i=10853"); | |||
// The certificate will be located or created in the specified Windows certificate store. | |||
// When viewed by the certmgr.msc tool, it will be under | |||
// Certificates - Current User -> Personal -> Certificates. | |||
Console.WriteLine("Done."); | |||
} | |||
} | |||
</ | } | ||
</syntaxhighlight> | |||
<p> </p> | <p> </p> |
Latest revision as of 12:30, 14 May 2024
This page is a snapshot of the current state of several new articles from the QuickOPC 2018.3 documentation.
Certificate Stores
Certificate Store Types
QuickOPC can work with certificates located in certificate stores. Certificate stores are of different types; they are either:
- Windows certificate store, or
- directory in a file system.
For more details on each of these types, see Windows Certificate Stores and Directory Certificate Stores.
Certificate Store Path
The certificate store is identified by a string, called certificate store path. The syntax and semantics of this string is as follows:
- If the string starts with "LocalMachine\" (case insensitive), it denotes a Windows certificate store for the local computer. The store name follows this prefix.
- If the string starts with "CurrentUser\" (case insensitive), it denotes a Windows certificate store for the current user. The store name follows this prefix.
- Otherwise, the string denotes a certificate store located in a file system directory, and the value is equal to the directory path. The string can contain replaceable tokens that refer to specific locations. For details, see Directory Certificate Stores.
Certificate Store Locations
QuickOPC uses several certificate stores for its operations. The location of the stores is given by various parameters. The stores are:
- Application certificate store. A client application created with QuickOPC looks for or creates its own instance certificate here. The location of the store is controlled by EasyUAClient.SharedParameters.EngineParameters.ApplicationParameters.ApplicationCertificateStore property. For more details, see Providing Client Instance Certificate. The application instance certificates in this store include the private keys.
- Rejected certificate store. Server certificates that fail validation are placed into this store.
- Trusted issuers certificate store. Contains certificates of Certification Authorities to be trusted.
- Trusted peers certificate store. Contains specific OPC UA application instance certificates to be trusted.
For details on rejected certificate store, trusted issuers certificate store and trusted peers certificate store, see Trusting Server Instance Certificate and Trusting Server HTTPS Certificate.
When targeting .NET framework, by default, all certificates that QuickOPC works with are located in some directory-based certificate store. Specifically:
- Default application certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\MachineDefault".
- Default rejected certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\RejectedCertificates".
- Default trusted issuers certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\UA Certificate Authorities".
- Default trusted peers certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\UA Applications".
On Windows, the %CommonApplicationData% token typically resolves to something like "C:\ProgramData". See Directory Certificate Stores for more details.
When targeting .NET 6+, all certificates that QuickOPC works with are located in a directory-based certificate store under the current working directory by default. Specifically:
- Default application certificate store is "%LocalFolder%/OPC Foundation/CertificateStores/MachineDefault".
- Default rejected certificate store is "%LocalFolder%/OPC Foundation/CertificateStores/RejectedCertificates".
- Default trusted issuers certificate store is "%LocalFolder%/OPC Foundation/CertificateStores/UA Certificate Authorities".
- Default trusted peers certificate store is "%LocalFolder%/OPC Foundation/CertificateStores/UA Applications".
The %LocalFolder% token resolves to the current working directory of the application.
Certificate Store Security
In a secure deployment, the certificate store itself (that is, read and write access to the certificates it contains) must be secured. QuickOPC needs appropriate permissions to read from (and sometimes write to) the certificate stores. At the same time, access should be denied to unauthorized actors. This is most critical for the write access to the stores (and for read access to the private key parts). Securing the certificate stores is outside of QuickOPC scope.
Directory Certificate Stores
Structure of the Directory Certificate Store
As described in Certificate Stores, directory certificate stores reside in a file system. In many cases, their structure can remain an opaque implementation detail to you. Knowing the structure comes handy if you need to deal with them externally or manually.
There are no files at the "root" of the directory certificate, only sub-directories, and they are:
- The "certs" subdirectory. Contains the certificates without private keys, in .DER format.
- The "private" subdirectory (only in certificate stores which need it). Contains the certificate *with* private keys, in .PFX format. Instead of .PFX, it can also contain just the private key, in .PEM format (QuickOPC recognizes this but does not itself create files in directory certificate stores in this way).
If the certificate store contains a certificate with a private key, it will therefore be present in both "certs" and "private" subdirectories, each time in a different format.
The file name of each certificate comprises of the certificate common name (from its subject), followed by a space, and the certificate thumbprint in square brackets, e.g. "My Application [71511464F08D30AF9F9B2BC21CDB78D49BE568B8]". Special characters (like < > : " / \ | ? *) that cannot appear in file names are stripped off from the common name.
Syntax of Directory Certificate Store Path
In its simplest form, the directory certificate store path is an absolute path to the directory that holds the store, e.g. "C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault". Since absolute paths are not flexible enough and may fail to work when the application is transferred to a computer with different configuration, QuickOPC allows you to include replaceable tokens in the directory certificate store path. A token is enclosed in percentage sign characters, e.g. %CommonApplicationData%. For the token to be recognized, the directory certificate store path must begin directly with the token (the percent sign). Tokens are not recognized further down in the string.
The following three types of tokens can be used. QuickOPC searches for them from top to bottom.
- Special folders. Any enumerated constant name from the .NET Environment.SpecialFolder enumeration (https://docs.microsoft.com/en-us/dotnet/api/system.environment.specialfolder ) can be used as a token. The token is replaced by the absolute path of the corresponding special folder. Not all available special folders make sense with OPC UA, but the following ones are good candidates: CommonApplicationData, CommonProgramFiles, ProgramFiles, etc.
- Environment variables. These are the operating system environment variable names, as available to the current process. The value of the environment variable is retrieved, and replaces the token.
- On .NET 6+ development platform only: "%LocalFolder%" (case sensitive). The current working directory of the application replaces the token. The string does not end with a backslash (\) or a slash (/).
If the token name is not recognized, the token is replaced by an empty string (i.e. the token is removed).
When targeting .NET Framework (as opposed to .NET 6+), the default directory certificate store paths all start with the %CommonApplicationData% token, which typically resolves to something like "C:\ProgramData".
Example: The default application certificate store path is specified as "%CommonApplicationData%\OPC Foundation\CertificateStores\MachineDefault", and it may resolve to "C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault".
Windows Certificate Stores
The Windows Certificate Stores are implemented and maintained by the Windows operating system. As explained in Certificate Stores, you specify the Windows certificate store by starting the certificate store path by either "LocalMachine\" or "CurrentUser\".
- If the string starts with "LocalMachine\" (case insensitive), it denotes a Windows certificate store for the local computer. Commonly used examples are: "LocalMachine\My", "LocalMachine\UA Applications" or "LocalMachine\UA Certificate Authorities".
- If the string starts with "CurrentUser\" (case insensitive), it denotes a Windows certificate store for the current user. Commonly used examples are: "CurrentUser\My" or "CurrentUser\Root".
The store name follows the prefix.
Note:
To manage the local computer certificates, type certlm.msc into the Windows search box, and press Enter. You will need administrative privileges to manage the local computer certificates.
To manage the certificates for the current user, type certmgr.msc into the Windows search box, and press Enter.
Note, however, that the logical store names displayed by the management console are not the same as the physical certificate store names, and that some stores may not be displayed at all.
// This example demonstrates how to place the client certificate in the Windows certificate store.
using System;
using OpcLabs.EasyOpc.UA;
namespace UADocExamples._UAApplicationParameters
{
class ApplicationCertificateStore
{
public static void Windows()
{
UAEndpointDescriptor endpointDescriptor =
"opc.tcp://opcua.demo-this.com:51210/UA/SampleServer";
// or "http://opcua.demo-this.com:51211/UA/SampleServer" (not in .NET Standard)
// or "https://opcua.demo-this.com:51212/UA/SampleServer/"
// Set the application certificate store path, which determines the location of the client certificate.
// Note that this only works once in each host process.
EasyUAClient.SharedParameters.EngineParameters.ApplicationParameters.ApplicationCertificateStore = "CurrentUser\\My";
// Do something - invoke an OPC read, to trigger creation of the certificate.
var client = new EasyUAClient();
client.ReadValue(endpointDescriptor, "nsu=http://test.org/UA/Data/;i=10853");
// The certificate will be located or created in the specified Windows certificate store.
// When viewed by the certmgr.msc tool, it will be under
// Certificates - Current User -> Personal -> Certificates.
Console.WriteLine("Done.");
}
}
}