A primer on OPC UA certificate stores

From OPC Labs Knowledge Base
Revision as of 09:54, 14 June 2018 by User (talk | contribs) (Created page with "This page is a snapshot of the current state of several new articles from the QuickOPC 2018.3 documentation. <h1>Certificate Stores</h1> <h2>Certificate Store Types</h2> <p...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This page is a snapshot of the current state of several new articles from the QuickOPC 2018.3 documentation.

Certificate Stores

Certificate Store Types

%%ProductName%% can work with certificates located in certificate stores. Certificate stores are of different types; they are either:

  • Windows certificate store, or
  • directory in a file system.

For more details on each of these types, see <a href="901f8522-103c-45d5-8659-4dfce19f2209" data-auto-update-caption="true">Windows Certificate Stores</a> and <a href="d72d3bb7-3bdd-4dfe-9b0e-654e5ae4fe05" data-auto-update-caption="true">Directory Certificate Stores</a>.

Certificate Store Path

The certificate store is identified by a string, called certificate store path. The syntax and semantics of this string is as follows:

  • If the string starts with "LocalMachine\" (case insensitive), it denotes a Windows certificate store for the local computer. The store name follows this prefix.
  • If the string starts with "CurrentUser\" (case insensitive), it denotes a Windows certificate store for the current user. The store name follows this prefix.
  • Otherwise, the string denotes a certificate store located in a file system directory, and the value is equal to the directory path. The string can contain replaceable tokens that refer to specific locations. For details, see <a href="d72d3bb7-3bdd-4dfe-9b0e-654e5ae4fe05" data-auto-update-caption="true">Directory Certificate Stores</a>.

Certificate Store Locations

%%ProductName%% uses several certificate stores for its operations. The location of the stores is given by various parameters. The stores are:

  • Application certificate store. A client application created with %%ProductName%% looks for or creates its own instance certificate here. The location of the store is controlled by <a href="OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.EasyUAClient.html">EasyUAClient</a>.<a href= "OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.EasyUAClient~SharedParameters.html">SharedParameters</a>.<a href= "OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.Engine.EasyUASharedParameters~EngineParameters.html">EngineParameters</a>.<a href= "OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.Engine.UAClientEngineParameters~ApplicationParameters.html">ApplicationParameters</a>.<a href= "OpcLabs.EasyOpcUA~OpcLabs.EasyOpc.UA.Engine.UAClientApplicationParameters~ApplicationCertificateStore.html">ApplicationCertificateStore</a> property. For more details, see <a href="a724e46e-440d-4ad0-8148-dd7ef23a8f9b" data-auto-update-caption="true">Providing Client Instance Certificate</a>. The application instance certificates in this store include the private keys.
  • Rejected certificate store. Server certificates that fail validation are placed into this store.
  • Trusted issuers certificate store. Contains certificates of Certification Authorities to be trusted.
  • Trusted peers certificate store. Contains specific OPC UA application instance certificates to be trusted.

For details on rejected certificate store, trusted issuers certificate store and trusted peers certificate store, see <a href= "31ff9304-a7f3-452a-9803-fde328a7738d" data-auto-update-caption="true">Trusting Server Instance Certificate</a> and <a href= "a8e4e567-d5cd-41b8-bbcb-835dd58bb3be" data-auto-update-caption="true">Trusting Server HTTPS Certificate</a>.

 

By default, all certificates that %%ProductName%% works with are located in some directory-based certificate store. Specifically:

  • Default application certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\MachineDefault".
  • Default rejected certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\RejectedCertificates".
  • Default trusted issuers certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\UA Certificate Authorities".
  • Default trusted peers certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\UA Applications".

The %CommonApplicationData% token typically resolves to something like "C:\ProgramData". See <a href="d72d3bb7-3bdd-4dfe-9b0e-654e5ae4fe05" data-auto-update-caption="true">Directory Certificate Stores</a> for more details.

Certificate Store Security

In a secure deployment, the certificate store itself (that is, read and write access to the certificates it contains) must be secured. %%ProductName%% needs appropriate permissions to read from (and sometimes write to) the certificate stores. At the same time, access should be denied to unauthorized actors. This is most critical for the write access to the stores (and for read access to the private key parts). Securing the certificate stores is outside of %%ProductName%% scope.

<innovasys:widget layout="block" type="Note Box">

   <innovasys:widgetproperty layout="block" name="Content">The private keys in OPC UA certificate stores are not protected by
   passwords.</innovasys:widgetproperty>

</innovasys:widget>

 

Directory Certificate Stores

Structure of the Directory Certificate Store

As described in <a href="Certificate Stores.html" data-auto-update-caption="true">Certificate Stores</a>, directory certificate stores reside in a file system. In many cases, their structure can remain an opaque implementation detail to you. Knowing the structure comes handy if you need to deal with them externally or manually.

There are no files at the "root" of the directory certificate, only sub-directories, and they are:

  • The "certs" subdirectory. Contains the certificates without private keys, in .DER format.
  • The "private" subdirectory (only in certificate stores which need it). Contains the certificate *with* private keys, in .PFX format. Instead of .PFX, it can also contain just the private key, in .PEM format (%%ProductName%% recognizes this but does not itself create files in directory certificate stores in this way).

If the certificate store contains a certificate with a private key, it will therefore be present in both "certs" and "private" subdirectories, each time in a different format.

The file name of each certificate comprises of the certificate common name (from its subject), followed by a space, and the certificate thumbprint in square brackets, e.g. "My Application [71511464F08D30AF9F9B2BC21CDB78D49BE568B8]". Special characters (like < > : " / \ | ?

  • ) that cannot appear in file names are stripped off from the common name.

Syntax of Directory Certificate Store Path

In its simplest form, the directory certificate store path is an absolute path to the directory that holds the store, e.g. "C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault". Since absolute paths are not flexible enough and may fail to work when the application is transferred to a computer with different configuration, %%ProductName%% allows you to include replaceable tokens in the directory certificate store path. A token is enclosed in percentage sign characters, e.g. %CommonApplicationData%. For the token to be recognized, the directory certificate store path must begin directly with the token (the percent sign). Tokens are not recognized further down in the string.

The following two types of tokens can be used. %%ProductName%% searches for them from top to bottom.

If the token name is not recognized, the token is replaced by an empty string (i.e. the token is removed).

The default directory certificate store paths all start with the %CommonApplicationData% token, which typically resolves to something like "C:\ProgramData".

Example: The default application certificate store path is specified as "%CommonApplicationData%\OPC Foundation\CertificateStores\MachineDefault", and it may resolve to "C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault".

 

Windows Certificate Stores

The Windows Certificate Stores are implemented and maintained by the Windows operating system. As explained in <a href="Certificate Stores.html" data-auto-update-caption="true">Certificate Stores</a>, you specify the Windows certificate store by starting the certificate store path by either "LocalMachine\" or "CurrentUser\".

  • If the string starts with "LocalMachine\" (case insensitive), it denotes a Windows certificate store for the local computer. Commonly used examples are: "LocalMachine\My", "LocalMachine\UA Applications" or "LocalMachine\UA Certificate Authorities".
  • If the string starts with "CurrentUser\" (case insensitive), it denotes a Windows certificate store for the current user. Commonly used examples are: "CurrentUser\My" or "CurrentUser\Root".

The store name follows the prefix.

<innovasys:widget layout="block" type="Tip Box">

   <innovasys:widgetproperty layout="block" name="Content">

To manage the local computer certificates, type certlm.msc into the Windows search box, and press Enter. You will need administrative privileges to manage the local computer certificates.

To manage the certificates for the current user, type certmgr.msc into the Windows search box, and press Enter.

Note, however, that the logical store names displayed by the management console are not the same as the physical certificate store names, and that some stores may not be displayed at all.

   </innovasys:widgetproperty>

</innovasys:widget>

 

<innovasys:widget layout="block" type="Include Topic">

   <innovasys:widgetproperty layout="block" name="source">Examples - OPC Unified Architecture - Certificate in the Windows certificate
   store</innovasys:widgetproperty>

</innovasys:widget>