A primer on OPC UA certificate stores: Difference between revisions

From OPC Labs Knowledge Base
(Created page with "This page is a snapshot of the current state of several new articles from the QuickOPC 2018.3 documentation. <h1>Certificate Stores</h1> <h2>Certificate Store Types</h2> <p...")
 
No edit summary
Line 5: Line 5:
<h2>Certificate Store Types</h2>
<h2>Certificate Store Types</h2>


<p>%%ProductName%% can work with certificates located in&nbsp;<em>certificate stores</em>. Certificate stores are of different types; they are either:</p>
<p>QuickOPC can work with certificates located in&nbsp;<em>certificate stores</em>. Certificate stores are of different types; they are either:</p>


<ul>
<ul>
Line 34: Line 34:
<h2>Certificate Store Locations</h2>
<h2>Certificate Store Locations</h2>


<p>%%ProductName%% uses several certificate stores for its operations. The location of the stores is given by various parameters. The stores are:</p>
<p>QuickOPC uses several certificate stores for its operations. The location of the stores is given by various parameters. The stores are:</p>


<ul>
<ul>
     <li><strong>Application certificate store</strong>. A client application created with %%ProductName%% looks for or creates its own instance certificate
     <li><strong>Application certificate store</strong>. A client application created with QuickOPC looks for or creates its own instance certificate
     here. The location of the store is controlled by <a href="OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.EasyUAClient.html">EasyUAClient</a>.<a href=
     here. The location of the store is controlled by <a href="OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.EasyUAClient.html">EasyUAClient</a>.<a href=
     "OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.EasyUAClient~SharedParameters.html">SharedParameters</a>.<a href=
     "OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.EasyUAClient~SharedParameters.html">SharedParameters</a>.<a href=
Line 59: Line 59:
<p>&nbsp;</p>
<p>&nbsp;</p>


<p>By default, all certificates&nbsp;that %%ProductName%% works with are located in some directory-based certificate store. Specifically:</p>
<p>By default, all certificates&nbsp;that QuickOPC works with are located in some directory-based certificate store. Specifically:</p>


<ul>
<ul>
Line 80: Line 80:
<h2>Certificate Store Security</h2>
<h2>Certificate Store Security</h2>


<p>In a secure deployment, the certificate store itself (that is, read and write access to the certificates it contains) must be secured. %%ProductName%% needs
<p>In a secure deployment, the certificate store itself (that is, read and write access to the certificates it contains) must be secured. QuickOPC needs
appropriate permissions to read from (and sometimes write to) the certificate stores. At the same time, access should be denied to unauthorized&nbsp;actors.
appropriate permissions to read from (and sometimes write to) the certificate stores. At the same time, access should be denied to unauthorized&nbsp;actors.
This is most critical for the write access to the stores (and for read access to the private key parts). Securing the certificate stores is outside of
This is most critical for the write access to the stores (and for read access to the private key parts). Securing the certificate stores is outside of
%%ProductName%% scope.</p>
QuickOPC scope.</p>


<innovasys:widget layout="block" type="Note Box">
<innovasys:widget layout="block" type="Note Box">
Line 105: Line 105:


     <li>The <strong>"private"</strong> subdirectory (only in certificate stores which need it). Contains the certificate *with* private keys, in .PFX format.
     <li>The <strong>"private"</strong> subdirectory (only in certificate stores which need it). Contains the certificate *with* private keys, in .PFX format.
     Instead of .PFX, it can also contain just the private key, in .PEM format (%%ProductName%% recognizes this but does not itself create files in directory
     Instead of .PFX, it can also contain just the private key, in .PEM format (QuickOPC recognizes this but does not itself create files in directory
     certificate stores in this way).</li>
     certificate stores in this way).</li>
</ul>
</ul>
Line 120: Line 120:
<p>In its simplest form, the directory certificate store path is an absolute path to the directory that holds the store, e.g. <strong>"C:\ProgramData\OPC
<p>In its simplest form, the directory certificate store path is an absolute path to the directory that holds the store, e.g. <strong>"C:\ProgramData\OPC
Foundation\CertificateStores\MachineDefault"</strong>. Since absolute paths are not flexible enough and may fail to work when the application is transferred to
Foundation\CertificateStores\MachineDefault"</strong>. Since absolute paths are not flexible enough and may fail to work when the application is transferred to
a computer with different configuration, %%ProductName%% allows you to include replaceable <em>tokens</em> in the directory certificate store path. A token is
a computer with different configuration, QuickOPC allows you to include replaceable <em>tokens</em> in the directory certificate store path. A token is
enclosed in percentage sign characters, e.g. <strong>%</strong><strong>CommonApplicationData%</strong>. For the token to be recognized, the directory
enclosed in percentage sign characters, e.g. <strong>%</strong><strong>CommonApplicationData%</strong>. For the token to be recognized, the directory
certificate store path must begin directly with the token (the percent sign). Tokens are not recognized further down in the string.</p>
certificate store path must begin directly with the token (the percent sign). Tokens are not recognized further down in the string.</p>


<p>The following two types of tokens can be used. %%ProductName%% searches for them from top to bottom.</p>
<p>The following two types of tokens can be used. QuickOPC searches for them from top to bottom.</p>


<ul>
<ul>

Revision as of 09:56, 14 June 2018

This page is a snapshot of the current state of several new articles from the QuickOPC 2018.3 documentation.

Certificate Stores

Certificate Store Types

QuickOPC can work with certificates located in certificate stores. Certificate stores are of different types; they are either:

  • Windows certificate store, or
  • directory in a file system.

For more details on each of these types, see <a href="901f8522-103c-45d5-8659-4dfce19f2209" data-auto-update-caption="true">Windows Certificate Stores</a> and <a href="d72d3bb7-3bdd-4dfe-9b0e-654e5ae4fe05" data-auto-update-caption="true">Directory Certificate Stores</a>.

Certificate Store Path

The certificate store is identified by a string, called certificate store path. The syntax and semantics of this string is as follows:

  • If the string starts with "LocalMachine\" (case insensitive), it denotes a Windows certificate store for the local computer. The store name follows this prefix.
  • If the string starts with "CurrentUser\" (case insensitive), it denotes a Windows certificate store for the current user. The store name follows this prefix.
  • Otherwise, the string denotes a certificate store located in a file system directory, and the value is equal to the directory path. The string can contain replaceable tokens that refer to specific locations. For details, see <a href="d72d3bb7-3bdd-4dfe-9b0e-654e5ae4fe05" data-auto-update-caption="true">Directory Certificate Stores</a>.

Certificate Store Locations

QuickOPC uses several certificate stores for its operations. The location of the stores is given by various parameters. The stores are:

  • Application certificate store. A client application created with QuickOPC looks for or creates its own instance certificate here. The location of the store is controlled by <a href="OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.EasyUAClient.html">EasyUAClient</a>.<a href= "OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.EasyUAClient~SharedParameters.html">SharedParameters</a>.<a href= "OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.Engine.EasyUASharedParameters~EngineParameters.html">EngineParameters</a>.<a href= "OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.Engine.UAClientEngineParameters~ApplicationParameters.html">ApplicationParameters</a>.<a href= "OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.Engine.UAClientApplicationParameters~ApplicationCertificateStore.html">ApplicationCertificateStore</a> property. For more details, see <a href="a724e46e-440d-4ad0-8148-dd7ef23a8f9b" data-auto-update-caption="true">Providing Client Instance Certificate</a>. The application instance certificates in this store include the private keys.
  • Rejected certificate store. Server certificates that fail validation are placed into this store.
  • Trusted issuers certificate store. Contains certificates of Certification Authorities to be trusted.
  • Trusted peers certificate store. Contains specific OPC UA application instance certificates to be trusted.

For details on rejected certificate store, trusted issuers certificate store and trusted peers certificate store, see <a href= "31ff9304-a7f3-452a-9803-fde328a7738d" data-auto-update-caption="true">Trusting Server Instance Certificate</a> and <a href= "a8e4e567-d5cd-41b8-bbcb-835dd58bb3be" data-auto-update-caption="true">Trusting Server HTTPS Certificate</a>.

 

By default, all certificates that QuickOPC works with are located in some directory-based certificate store. Specifically:

  • Default application certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\MachineDefault".
  • Default rejected certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\RejectedCertificates".
  • Default trusted issuers certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\UA Certificate Authorities".
  • Default trusted peers certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\UA Applications".

The %CommonApplicationData% token typically resolves to something like "C:\ProgramData". See <a href="d72d3bb7-3bdd-4dfe-9b0e-654e5ae4fe05" data-auto-update-caption="true">Directory Certificate Stores</a> for more details.

Certificate Store Security

In a secure deployment, the certificate store itself (that is, read and write access to the certificates it contains) must be secured. QuickOPC needs appropriate permissions to read from (and sometimes write to) the certificate stores. At the same time, access should be denied to unauthorized actors. This is most critical for the write access to the stores (and for read access to the private key parts). Securing the certificate stores is outside of QuickOPC scope.

<innovasys:widget layout="block" type="Note Box">

   <innovasys:widgetproperty layout="block" name="Content">The private keys in OPC UA certificate stores are not protected by
   passwords.</innovasys:widgetproperty>

</innovasys:widget>

 

Directory Certificate Stores

Structure of the Directory Certificate Store

As described in <a href="Certificate Stores.html" data-auto-update-caption="true">Certificate Stores</a>, directory certificate stores reside in a file system. In many cases, their structure can remain an opaque implementation detail to you. Knowing the structure comes handy if you need to deal with them externally or manually.

There are no files at the "root" of the directory certificate, only sub-directories, and they are:

  • The "certs" subdirectory. Contains the certificates without private keys, in .DER format.
  • The "private" subdirectory (only in certificate stores which need it). Contains the certificate *with* private keys, in .PFX format. Instead of .PFX, it can also contain just the private key, in .PEM format (QuickOPC recognizes this but does not itself create files in directory certificate stores in this way).

If the certificate store contains a certificate with a private key, it will therefore be present in both "certs" and "private" subdirectories, each time in a different format.

The file name of each certificate comprises of the certificate common name (from its subject), followed by a space, and the certificate thumbprint in square brackets, e.g. "My Application [71511464F08D30AF9F9B2BC21CDB78D49BE568B8]". Special characters (like < > : " / \ | ?

  • ) that cannot appear in file names are stripped off from the common name.

Syntax of Directory Certificate Store Path

In its simplest form, the directory certificate store path is an absolute path to the directory that holds the store, e.g. "C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault". Since absolute paths are not flexible enough and may fail to work when the application is transferred to a computer with different configuration, QuickOPC allows you to include replaceable tokens in the directory certificate store path. A token is enclosed in percentage sign characters, e.g. %CommonApplicationData%. For the token to be recognized, the directory certificate store path must begin directly with the token (the percent sign). Tokens are not recognized further down in the string.

The following two types of tokens can be used. QuickOPC searches for them from top to bottom.

If the token name is not recognized, the token is replaced by an empty string (i.e. the token is removed).

The default directory certificate store paths all start with the %CommonApplicationData% token, which typically resolves to something like "C:\ProgramData".

Example: The default application certificate store path is specified as "%CommonApplicationData%\OPC Foundation\CertificateStores\MachineDefault", and it may resolve to "C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault".

 

Windows Certificate Stores

The Windows Certificate Stores are implemented and maintained by the Windows operating system. As explained in <a href="Certificate Stores.html" data-auto-update-caption="true">Certificate Stores</a>, you specify the Windows certificate store by starting the certificate store path by either "LocalMachine\" or "CurrentUser\".

  • If the string starts with "LocalMachine\" (case insensitive), it denotes a Windows certificate store for the local computer. Commonly used examples are: "LocalMachine\My", "LocalMachine\UA Applications" or "LocalMachine\UA Certificate Authorities".
  • If the string starts with "CurrentUser\" (case insensitive), it denotes a Windows certificate store for the current user. Commonly used examples are: "CurrentUser\My" or "CurrentUser\Root".

The store name follows the prefix.

<innovasys:widget layout="block" type="Tip Box">

   <innovasys:widgetproperty layout="block" name="Content">

To manage the local computer certificates, type certlm.msc into the Windows search box, and press Enter. You will need administrative privileges to manage the local computer certificates.

To manage the certificates for the current user, type certmgr.msc into the Windows search box, and press Enter.

Note, however, that the logical store names displayed by the management console are not the same as the physical certificate store names, and that some stores may not be displayed at all.

   </innovasys:widgetproperty>

</innovasys:widget>

 

<innovasys:widget layout="block" type="Include Topic">

   <innovasys:widgetproperty layout="block" name="source">Examples - OPC Unified Architecture - Certificate in the Windows certificate
   store</innovasys:widgetproperty>

</innovasys:widget>