Certificate security plugin: Difference between revisions
From OPC Labs Knowledge Base
Line 77: | Line 77: | ||
<pre> | <pre> | ||
Options: | |||
-x-cs-ai|--X-CertificateSecurity-AllowInteraction <bool> Certificate security: Allow interaction (default True) | -x-cs-ai|--X-CertificateSecurity-AllowInteraction <bool> Certificate security: Allow interaction (default True) | ||
-x-cs-as|--X-CertificateSecurity-AllowStatic <bool> Certificate security: Allow static (default True) | -x-cs-as|--X-CertificateSecurity-AllowStatic <bool> Certificate security: Allow static (default True) | ||
Line 86: | Line 87: | ||
-x-cs-lcst|--X-CertificateSecurity-LocalCertsSourceTypes <sourceTypes> Certificate security: Local certs: Source types | -x-cs-lcst|--X-CertificateSecurity-LocalCertsSourceTypes <sourceTypes> Certificate security: Local certs: Source types | ||
-x-cs-rpaa|--X-CertificateSecurity-RemotePolicyAcceptAny <bool> Certificate security: Remote policy: Accept any certificate | -x-cs-rpaa|--X-CertificateSecurity-RemotePolicyAcceptAny <bool> Certificate security: Remote policy: Accept any certificate | ||
Parameter values: | |||
<findType> FindByThumbprint/FindBySubjectName/FindBySubjectDistinguishedName/FindByIssuerName/FindByIssuerDistinguishedName/FindBySerialNumber/FindByTimeValid/FindByTimeNotYetValid/FindByTimeExpired/FindByTemplateName/FindByApplicationPolicy/FindByCertificatePolicy/FindByExtension/FindByKeyUsage/FindBySubjectKeyIdentifier | |||
<sourceTypes> None/File/PkiStore[,None/File/PkiStore]... | |||
<storeLocation> CurrentUser/LocalMachine | |||
<storeName> AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher | |||
</pre> | </pre> |
Revision as of 20:19, 23 December 2019
Principles of operation
Warning: The Certificate security plugin is not used with OPC UA Client-Server certificates, because of the special needs of OPC UA Client-Server security. Its use is for other purposes, such as secured MQTT communications in OPC UA PubSub.
Get local certificates
Validate remote certificate
Certificate security providers
Composed
Order | Enabled by | Parameterized by | Description |
---|---|---|---|
1 | AllowStatic | StaticCertificateSecurityParameters | |
2 | AllowHandler | ||
3 | AllowInteractive |
AllowStatic setting | AllowInteractive setting | Get local certificates | Validate remote certificate |
---|---|---|---|
False | False | The consumer will use its default behavior for obtaining local certificates. | The consumer will use its default behavior for validating the remote certificate. |
False | True | The user is allowed to supply the local certificates (depending on the capabilities of the interaction provider), or use the provided defaults. The default local certificates for the interaction are given by the StaticCertificateSecurityParameters.LocalCertificatesQuery setting (even though AllowStatic is set False). | The user is allowed to accept or reject the remote certificate. |
True | False | Local certificates are obtained according to StaticCertificateSecurityParameters.LocalCertificatesQuery setting (certificates can be read from certificate files, and/or looked up according to specified criteria in a certificate store). | The remote certificate is accepted if it complies with the StaticCertificateSecurityParameters.RemoteCertificateAcceptancePolicy setting. |
True | True | Local certificates are obtained according to StaticCertificateSecurityParameters.LocalCertificatesQuery setting (certificates can be read from certificate files, and/or looked up according to specified criteria in a certificate store). | The remote certificate is accepted if it complies with the StaticCertificateSecurityParameters.RemoteCertificateAcceptancePolicy setting. Otherwise, the user is allowed to accept or reject the remote certificate. |
Static
Handler
Interactive
Usage
In code
In command-line tools
Options: -x-cs-ai|--X-CertificateSecurity-AllowInteraction <bool> Certificate security: Allow interaction (default True) -x-cs-as|--X-CertificateSecurity-AllowStatic <bool> Certificate security: Allow static (default True) -x-cs-lcfn|--X-CertificateSecurity-LocalCertsFileName <string> Certificate security: Local certs: File name (*) -x-cs-lcfv|--X-CertificateSecurity-LocalCertsFindValue <string> Certificate security: Local certs: Find value -x-cs-lcsl|--X-CertificateSecurity-LocalCertsStoreLocation <storeLocation> Certificate security: Local certs: Store location (default CurrentUser) -x-cs-lcsn|--X-CertificateSecurity-LocalCertsStoreName <storeName> Certificate security: Local certs: Store name (default My) -x-cs-lcft|--X-CertificateSecurity-LocalCertsFindType <findType> Certificate security: Local certs: Find type (default FindByThumbprint) -x-cs-lcst|--X-CertificateSecurity-LocalCertsSourceTypes <sourceTypes> Certificate security: Local certs: Source types -x-cs-rpaa|--X-CertificateSecurity-RemotePolicyAcceptAny <bool> Certificate security: Remote policy: Accept any certificate Parameter values: <findType> FindByThumbprint/FindBySubjectName/FindBySubjectDistinguishedName/FindByIssuerName/FindByIssuerDistinguishedName/FindBySerialNumber/FindByTimeValid/FindByTimeNotYetValid/FindByTimeExpired/FindByTemplateName/FindByApplicationPolicy/FindByCertificatePolicy/FindByExtension/FindByKeyUsage/FindBySubjectKeyIdentifier <sourceTypes> None/File/PkiStore[,None/File/PkiStore]... <storeLocation> CurrentUser/LocalMachine <storeName> AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher