Difference between revisions of "Certificate security plugin"

From OPC Labs Knowledge Base
Jump to navigation Jump to search
Line 69: Line 69:
 
=== Interactive ===
 
=== Interactive ===
  
 +
 +
 +
<pre>
 +
Validate remote certificate for: MQTT client connection to mqtts://test.mosquitto.org (MqttNet)
 +
The identity of the remote computer cannot be verified. Do you want to connect anyway?
 +
The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.
 +
Information:
 +
  Target: mqtts://test.mosquitto.org
 +
  Associated status: Certificate chain errors.
 +
 
 +
  Subject: CN=test.mosquitto.org, OU=Public server, O=Mosquitto, L=Derby, S=United Kingdom, C=GB
 +
  Issuer: E=roger@atchoo.org, CN=mosquitto.org, OU=CA, O=Mosquitto, L=Derby, S=United Kingdom, C=GB
 +
  Valid from: 3/20/2019 3:21:39 PM
 +
  Valid to: 3/16/2032 3:21:39 PM
 +
  Thumbprint: E62D6F0D957ED20B74B1D55D404EEF992CE482F0
 +
 +
Do you want to accept the certificate anyway? [y/N]: Y
 +
</pre>
  
 
== Usage ==
 
== Usage ==

Revision as of 20:24, 23 December 2019


Principles of operation

Warning-icon.png

Warning: The Certificate security plugin is not used with OPC UA Client-Server certificates, because of the special needs of OPC UA Client-Server security. Its use is for other purposes, such as secured MQTT communications in OPC UA PubSub.

Get local certificates

Validate remote certificate

Certificate security providers

Composed

Order Enabled by Parameterized by Description
1 AllowStatic StaticCertificateSecurityParameters
2 AllowHandler
3 AllowInteractive
AllowStatic setting AllowInteractive setting Get local certificates Validate remote certificate
False False The consumer will use its default behavior for obtaining local certificates. The consumer will use its default behavior for validating the remote certificate.
False True The user is allowed to supply the local certificates (depending on the capabilities of the interaction provider), or use the provided defaults. The default local certificates for the interaction are given by the StaticCertificateSecurityParameters.LocalCertificatesQuery setting (even though AllowStatic is set False). The user is allowed to accept or reject the remote certificate.
True False Local certificates are obtained according to StaticCertificateSecurityParameters.LocalCertificatesQuery setting (certificates can be read from certificate files, and/or looked up according to specified criteria in a certificate store). The remote certificate is accepted if it complies with the StaticCertificateSecurityParameters.RemoteCertificateAcceptancePolicy setting.
True True Local certificates are obtained according to StaticCertificateSecurityParameters.LocalCertificatesQuery setting (certificates can be read from certificate files, and/or looked up according to specified criteria in a certificate store). The remote certificate is accepted if it complies with the StaticCertificateSecurityParameters.RemoteCertificateAcceptancePolicy setting. Otherwise, the user is allowed to accept or reject the remote certificate.

Static

Handler

Interactive

Validate remote certificate for: MQTT client connection to mqtts://test.mosquitto.org (MqttNet)
The identity of the remote computer cannot be verified. Do you want to connect anyway?
The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.
Information:
  Target: mqtts://test.mosquitto.org
  Associated status: Certificate chain errors.
  
  Subject: CN=test.mosquitto.org, OU=Public server, O=Mosquitto, L=Derby, S=United Kingdom, C=GB
  Issuer: E=roger@atchoo.org, CN=mosquitto.org, OU=CA, O=Mosquitto, L=Derby, S=United Kingdom, C=GB
  Valid from: 3/20/2019 3:21:39 PM
  Valid to: 3/16/2032 3:21:39 PM
  Thumbprint: E62D6F0D957ED20B74B1D55D404EEF992CE482F0

Do you want to accept the certificate anyway? [y/N]: Y

Usage

In code

In command-line tools

Options:
  -x-cs-ai|--X-CertificateSecurity-AllowInteraction <bool>                    Certificate security: Allow interaction (default True)
  -x-cs-as|--X-CertificateSecurity-AllowStatic <bool>                         Certificate security: Allow static (default True)
  -x-cs-lcfn|--X-CertificateSecurity-LocalCertsFileName <string>              Certificate security: Local certs: File name (*)
  -x-cs-lcfv|--X-CertificateSecurity-LocalCertsFindValue <string>             Certificate security: Local certs: Find value
  -x-cs-lcsl|--X-CertificateSecurity-LocalCertsStoreLocation <storeLocation>  Certificate security: Local certs: Store location (default CurrentUser)
  -x-cs-lcsn|--X-CertificateSecurity-LocalCertsStoreName <storeName>          Certificate security: Local certs: Store name (default My)
  -x-cs-lcft|--X-CertificateSecurity-LocalCertsFindType <findType>            Certificate security: Local certs: Find type (default FindByThumbprint)
  -x-cs-lcst|--X-CertificateSecurity-LocalCertsSourceTypes <sourceTypes>      Certificate security: Local certs: Source types
  -x-cs-rpaa|--X-CertificateSecurity-RemotePolicyAcceptAny <bool>             Certificate security: Remote policy: Accept any certificate

Parameter values:
  <findType>        FindByThumbprint/FindBySubjectName/FindBySubjectDistinguishedName/FindByIssuerName/FindByIssuerDistinguishedName/FindBySerialNumber/FindByTimeValid/FindByTimeNotYetValid/FindByTimeExpired/FindByTemplateName/FindByApplicationPolicy/FindByCertificatePolicy/FindByExtension/FindByKeyUsage/FindBySubjectKeyIdentifier
  <sourceTypes>     None/File/PkiStore[,None/File/PkiStore]...
  <storeLocation>   CurrentUser/LocalMachine
  <storeName>       AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher
Retrieved from "https://kb.opclabs.com/index.php?title=Certificate_security_plugin&oldid=2622"