Certificate security plugin
Concepts
Warning: The Certificate security plugin is not used with OPC UA Client-Server certificates, because of the special needs of OPC UA Client-Server security. Its use is for other purposes, such as secured MQTT communications in OPC UA PubSub.
Operations
There are three operations provided by the certificate security plugin, explained below.
Get local certificates
Gets the local PKI (X.509) certificates used for authentication. As an input, the information about the consumer, and the target server is given. This operation returns a list of local certificates to be used for establishing the connection.
Select local certificate
Currently not used by any of the consumers.
Validate remote certificate
Verifies the remote PKI (X.509) certificate used for authentication. As an input, the information about the consumer, and the target server is given, as well as the certificate used to authenticate by the remote party, the chain of certificate authorities associated with the remote certificate, and possible transport (SSL) errors associated with the remote certificate. The specified certificate is either accepted or rejected for authentication by this operation.
Certificate security providers
Composed
Order | Enabled by | Parameterized by | Description |
---|---|---|---|
1 | AllowStatic | StaticCertificateSecurityParameters | |
2 | AllowHandler | ||
3 | AllowInteractive |
In the table below, "the consumer" is the part of the software that has requested the certificate security operation. In might be e.g. one of the MQTT communication packages.
AllowStatic setting | AllowInteractive setting | Get local certificates | Validate remote certificate |
---|---|---|---|
False | False | The consumer will use its default behavior for obtaining local certificates. | The consumer will use its default behavior for validating the remote certificate. |
False | True | The user is allowed to supply the local certificates (depending on the capabilities of the interaction provider), or use the provided defaults. The default local certificates for the interaction are given by the StaticCertificateSecurityParameters.LocalCertificatesQuery setting (even though AllowStatic is set False). | The user is allowed to accept or reject the remote certificate. |
True | False | Local certificates are obtained according to StaticCertificateSecurityParameters.LocalCertificatesQuery setting (certificates can be read from certificate files, and/or looked up according to specified criteria in a certificate store). The default LocalCertificatesQuery returns no local certificates. | The remote certificate is accepted if it complies with the StaticCertificateSecurityParameters.RemoteCertificateAcceptancePolicy setting. |
True | True | The remote certificate is accepted if it complies with the StaticCertificateSecurityParameters.RemoteCertificateAcceptancePolicy setting. Otherwise, the user is allowed to accept or reject the remote certificate. |
Static
The Static certificate security provider does not distinguish between (ignores) the different purposes/consumers of the operation (such as that the local certificates may be provided for MQTT, or for AMQP), and also different targets (for which server are the local certificates intended, or from which server the remote certificate came). If you need that level of granularity, use the Handler certificate security provider (and make the distinction in your code), or the Interaction certificate security provider (and let the end user make the decisions).
Handler
Interactive
The Interactive certificate security provider allows the end user to make the security choices (to certain degree).
How the interaction actually looks like depends on the technology used by your application, Currently, two types of interaction are possible:
- Console
- Windows Forms (on Windows only)
Which interaction type will actually take place is dynamically decided at run time by the plugin, automatically. The Windows Forms interaction is internally implemented using the Windows Forms technology, but (despite its name) is suitable for almost any kind of windowed user interface on Windows.
User responses are memoized for the lifetime of the process (application domain in .NET Framework). That is, the user will not be asked the same question for the same combination of inputs (e.g. validating the same remote certificate for the same purpose and from the same server).
Since the requests for certificate security operations come at generally unpredictable times (such as when the secured connection is being opened), and the user interaction mechanism is largely unaware of other user interface activities that are going on in the same program, the user needs to be prepared for the fact that interaction from the certificate security plugin can interrupt the normal flow of operation.
Console
Local certificates for: MQTT client connection to mqtts://test.mosquitto.org (MqttNet) Supply local certificate(s) for authentication to mqtts://test.mosquitto.org . There are 0 default certificates. Certificate file name (Enter=default certificates)? client.crt Loaded certificate: OU=Software Engineering, S=PM, O="CODE Consulting and Development, s.r.o.", L=Plzen, CN=opclabs.com, C=CZ
Validate remote certificate for: MQTT client connection to mqtts://test.mosquitto.org (MqttNet) The identity of the remote computer cannot be verified. Do you want to connect anyway? The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed. Information: Target: mqtts://test.mosquitto.org Associated status: Certificate chain errors. Subject: CN=test.mosquitto.org, OU=Public server, O=Mosquitto, L=Derby, S=United Kingdom, C=GB Issuer: E=roger@atchoo.org, CN=mosquitto.org, OU=CA, O=Mosquitto, L=Derby, S=United Kingdom, C=GB Valid from: 3/20/2019 3:21:39 PM Valid to: 3/16/2032 3:21:39 PM Thumbprint: E62D6F0D957ED20B74B1D55D404EEF992CE482F0 Do you want to accept the certificate anyway? [y/N]: Y
Windows Forms
Usage
In code
In command-line tools
In some command-line tools such as OpcCmd or UADemoPublisher, the Certificate security plugin is already set up and enabled. It also integrates itself with the command-line options and commands. Options are made available that allow you to configure most of the Certificate security provider aspects from the command line.
The option short names for Certificate security plugin start with "-x-cs-", the long names start with "--X-CertificateSecurity-". For example, below is a listing of options and parameters values as available for the "uaSubscriber" command of the OpcCmd tool, or in the UADemoPublisher.
Options: -x-cs-ai|--X-CertificateSecurity-AllowInteraction <bool> Certificate security: Allow interaction (default True) -x-cs-as|--X-CertificateSecurity-AllowStatic <bool> Certificate security: Allow static (default True) -x-cs-lcfn|--X-CertificateSecurity-LocalCertsFileName <string> Certificate security: Local certs: File name (*) -x-cs-lcfv|--X-CertificateSecurity-LocalCertsFindValue <string> Certificate security: Local certs: Find value -x-cs-lcsl|--X-CertificateSecurity-LocalCertsStoreLocation <storeLocation> Certificate security: Local certs: Store location (default CurrentUser) -x-cs-lcsn|--X-CertificateSecurity-LocalCertsStoreName <storeName> Certificate security: Local certs: Store name (default My) -x-cs-lcft|--X-CertificateSecurity-LocalCertsFindType <findType> Certificate security: Local certs: Find type (default FindByThumbprint) -x-cs-lcst|--X-CertificateSecurity-LocalCertsSourceTypes <sourceTypes> Certificate security: Local certs: Source types -x-cs-rpaa|--X-CertificateSecurity-RemotePolicyAcceptAny <bool> Certificate security: Remote policy: Accept any certificate Parameter values: <findType> FindByThumbprint/FindBySubjectName/FindBySubjectDistinguishedName/FindByIssuerName/FindByIssuerDistinguishedName/FindBySerialNumber/FindByTimeValid/FindByTimeNotYetValid/FindByTimeExpired/FindByTemplateName/FindByApplicationPolicy/FindByCertificatePolicy/FindByExtension/FindByKeyUsage/FindBySubjectKeyIdentifier <sourceTypes> None/File/PkiStore[,None/File/PkiStore]... <storeLocation> CurrentUser/LocalMachine <storeName> AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher
Example: Publish over secure MQTT connection, accepting any remote certificate.
UADemoPublisher -muts -x-cs-rpaa True
Example: Publish over secure MQTT connection, allowing the user to specify the local certificate (by disabling the static certificate security provider).
UADemoPublisher -muts -x-cs-as False