Dialog: Administer OPC UA Application
This dialog allows you to administer the OPC UA application. It contains settings and operations that enable the OPC UA application to coexist and communicate properly in the operating system and in the OPC UA ecosystem.
The "Administer OPC UA Application" dialog allows:
- Viewing and managing trusted certificates. The user can change the Trusted, issuer and Rejected states of the certificates, import certificates, and delete certificates.
- Managing the own application certificate, either using self-signed approach, or from an OPC UA Global Discovery Server (GDS). The application certificate can be exported or imported. The user can also protect the private key of the certificate with a password, or unprotect it. Automatic fixes are offered for common issues with the application certificate.
- Viewing OPC UA application manifest.
The above listed aspects correspond to individual tabs on the dialog. If there is an important issue that needs your attention, the affected tab is displayed with an error or warning icon.
You can switch between the tabs as needed. When you are done with the dialog, press Esc or click the little cross icon in the upper right corner.
Trusted Certificates tab
The Trusted Certificates tab shows the certificates in various certificates stores of the application, and allows you to view and change how the application you are administering trusts other OPC UA applications.
Certificates grid
The certificates are displayed in a single table (grid), with their trust status indicated textually and by an icon. In reality, the certificates are stored in several certificate stores with different purposes. The table shows a logical view, where the trust status is inferred from the placement of the certificate. Operations that change the trust status do, in fact, copy, move and remove certificates in the certificate stores.
Information in the table that may need your attention is distinguished by formatting: for example, certificate validity dates that are expired are displayed in different color.
You can sort the table in ascending or descending order by clicking (or repeated clicking) the column header you want to sort on. Column widths are sized automatically, but can also be adjusted by dragging the divider line between the columns in the header area. Hovering over an incomplete information (for example, if the column is too short) shows a tooltip with the full content of the table cell.
Select the certificate you want to work with by clicking on its row in the table, or using the arrow keys on the keyboard when the table is focused.
Actions
- Trust Status: Trusted
- Sets or resets the Trusted status of the selected certificate. Self-signed, leaf, root CA or sub-CA certificates can be trusted. A certificate that is neither Trusted nor an Issuer or Own certificate is automatically given the Rejected status; conversely, the Rejected status is removed from any certificate that is Trusted.
- Trust Status: Issuer
- Sets or resets the Issuer status of the selected certificate. Issuer certificates are certificates used for validation of the certificate chain, but are not by itself trusted. A certificate that is neither Issuer nor Trusted or Own certificate is automatically given the Rejected status; conversely, the Rejected status is removed from any certificate that is has an Issuer status.
- Trust Status: Rejected
- Sets or resets the Rejected status of the selected certificate. Rejected certificates do not participate in trust evaluation; they are just conveniently "marked" for further review or deletion. Setting the Rejected status automatically removed the Trusted and Issuer stattsu form the certificate; removing the Rejected status from the certificate gives the certificate the Trusted status.
Note: "Revoked" status is different from "Rejected". "Revoked" means that a Certificate Revocation List (CRL) has been issued that marks the specific certificate as revoked (e.g. because its security has been compromised). You cannot change the "Revoked" status of the certificate.
- Delete
- Permanently deletes the selected certificate from all application certificate stores. The dialog will ask you for confirmation. This action cannot be reversed. If you are not sure, you can Reject the certificate instead. The effect on the trust will be the same, but the Rejected certificate status can be changed to Trusted or Issuer again easily.
- Inspect
- Displays all properties of the selected certificate in a property grid.
- View
- Shows the selected certificate using the standard operating system (Windows) user interface.
- Import Trusted
- Imports a certificate from a file, and makes it a Trusted certificate. You can select from several file formats.
- Import Issuer
- Imports a certificate from a file, and makes it an Issuer certificate. You can select from several file formats.
- CM Operations: Refresh Trust Lists
- Retrieves the current trust lists for the application from the Certificate Manager (CM)/Global Discovery Server (GDS), and refreshes own certificate stores accordingly. Use this command if the certificate stores of your application are not up-to-date. The CM/GDS endpoint is configured elsewhere in the application.
Other controls
- Shared stores
- Indicates whether the certificate stores (where the certificates displayed in the tab are located) are possibly shared with other applications. Note: The value displayed is based on the common locations of certificate stores. In case some the locations are configured in a special way, the status might not be correct.
- No
- The certificate stores are configured to serve this application only.
- Mixed
- Some of the certificate stores are configured to serve this application only, while others are shared by multiple applications on the computer.
- Yes
- The application uses certificate stores that are shared by multiple applications on the computer.
- When the shared status is "Mixed" or "Yes", you need to be aware that operation that you make in this tab also affect the trust settings of other applications on the computer. In order to find the location of individual certificate stores, hover the mouse cursor over the shared status value, and a tooltip will be shown with store locations, and statistics of their usage. You can also switch to the Application Manifest to view how the certificate stores are configured.
- Refresh View
- Press this button in case the contents of certificate stores might have changed by an external actor, i.e. by something that has not been invoked from this dialog - for example, if you have manually copied some certificate into the store, or removed it.
- Store errors
- If there is a problem opening any of the application's certificate stores, and error icon will appear near the "Refresh View" button, and by hovering over the icon, you can obtain more information about the error(s).
Application Certificate tab
!!!
Create own self-signed certificate
- Validity period
- Minimum key size
- Create/recreate own certificate
- ...with no private key protection
- ...and protect private key by new password
Obtain new certificate from OPC UA GDS
Note: Certificate operations with Global Discovery Server (GDS) may not be available, e.g. due to software licensing reasons. In such case, elements in this group may be disabled, and a corresponding explanatory message is displayed in a tooltip.
- GDS endpoint (with Certificate Manager)
- Certificate type
- Obtain/reobtain new certificate
- ...with no private key password protection
- ...and protect private key by new password
- Refresh trust lists
Import/export application certificate
- Import certificate from file
- Export certiticate to file
- Export certificate with private key to file
Remove own certificate
Pressing the Remove own certificate button will remove the current own certificate, together with its private key, from the certificate store. This action cannot be reversed.
Private key protection
Note: Not all applications allow changing the certificate private key password. In such applications, corresponding elements in this group are not visible.
Certificates have public and private keys. The private key of the certificate is the secret part of it. It needs to be secured in such a way that only authorized entities - such as the application itself - have access to it. This is done by various ways, e.g. by storing the certificate's private key in a secure certificate store, which uses operating system mechanism to guard access only to selected users. An additional protection can be made using the private key password. In this case, the certificate's private key is unusable without also having the correct password.
When working with controls in this group, you need to keep in mind that for the application to work, the private key password configured in the application must match the actual password by which the private key of the current certificate is protected. By making a mistake in administering the application, these passwords can become out of sync, rendering the secure communications of the application impossible. The dialog detects such situation and warns about it, though.
- Protect by new password
- Unprotect (empty password)
- Private key password configured
- Set
- Reset
!!!
Own Certificate View
The Own Certificate View forms the right-hand side of the Application Certificate tab. For most part, it is a read-only view of the current application certificate, in a property grid.
When there is no own certificate available, either because it is simply missing, or due to some error accessing the certificate store, the property grid is replaced by an information box which provides more information related to the status or error.
By default, the properties in the property grid are displayed grouped into logical categories. Using the button icons above the grid, you can switch between this categorized view, and an alphabetically sorted view.
The "Refresh View" button can be used when the certificate might have been changed by an external actor, i.e. by something that has not been invoked from this dialog - for example, if you have manually copied the certificate into the store, or removed it.
Pressing the View button shows the current own certificate using the standard operating system (Windows) user interface.
A colored caption bar above the property grid shows the current status of the own certificate. The program makes an analysis of various aspects related to the own certificate, and shows hints, warning and errors from the analysis. In order to obtain lengthier explanation of the status, hover the mouse cursor over the colored status caption bar. In some cases, there is also a More button displayed next to the status caption. Press this button to show the details of the actual error.
The program has a built-in capability to provide solutions for common issues related to the own certificate. When such solution is available, a Fix button appears next to the colored status caption bar. Press this button and the fix will be made automatically, or you will be walked through the possible steps of the solution.
Application Manifest tab
The OPC UA application manifest contains the application registration information together with data related to PKI administration, such as paths to the certificate stores used.
The information contained in the OPC UA application manifest can roughly be divided into three areas:
- Information that identifies or otherwise integrates the application in the OPC UA ecosystem, such as application URI, application type, application name, and product URI.
- Information needed to create the application instance certificate, such as the certificate subject name or its parts. Note that the certificate also contains some of the information described above, such as the application URI.
- Information that allows the OPC UA application to execute and be administered in the operating system environment, such as location of the certificate stores it uses.
This logical separation is reflected in how the information is laid out on the Application Manifest tab:
You cannot change the information in the Application Manifest tab; it comes from the OPC UA application itself. Use this tab mainly to verify that the information displayed is correct, and/or to share it with other parties. For example, the application URI is needed in some scenarios to connect to the application.
The information displayed reflects the final (effective) values, those that the application actually uses. Behind the scenes, the application manifest might be composed from several (partial) sources, and some elements (such as the certificate store paths) then go through a final resolution step.
If any issues were found, the bottom part of this tab shows warnings and error messages related to the application manifest.
Common procedures
Trusting a Rejected certificate
Probably by far the most common usage for this dialog is to establish a trust of your application with a previously untrusted peer application, using self-signed certificates for application authentication. If the two applications attempt to connect in a secure way for the first time, and the trust is not configured, the other party certificate is rejected, and is placed into the Rejected certificate store (which as shows as "Rejected" trust status in the "Trusted Certificates" tab).
In order to establish trust to an application with a self-signed certificate that has been rejected:
- Open the "Administer OPC UA Application " dialog.
- Switch to the Trusted Certificates tab.
- Locate the rejected certificate of the other application in the table. It will have "Rejected" in its Trust Status, and the name of the application and other identifying information will match the other application.
- Verify that the thumbprint of the certificate is identical to the known thumbprint of the certificate of the other application. This is an important step for security; if you skip it, you might end up trusting and connecting with an unintended, possibly rogue application. The other application will typically have some way to display the thumbprint of its certificate to the user. To verify the thumbprint, either:
- Select the Inspect action, find the Identification: Thumbprint row in the property grid, and verify the thumbprint. Then press the OK button.
- Select the View action, switch to the Details tab, find the Thumbprint row in the field list, and verify the thumbprint. Then press the OK button.
- If the thumbprint in the previous step was correct, select the Trust Status: Trusted action. This will change the trust status of the selected certificate from Rejected to Trusted.