Set Up Secure Connections for the OPC UA Client

This topic provides outline information on how to set up secure connections between Geo SCADA Expert and an OPC UA server. It applies for setups in which Geo SCADA Expert is running the OPC UA driver and operating as an OPC UA client. The information only applies when Geo SCADA Expert is required to use secure connections to communicate with the OPC UA server. You specify the required certificate and other secure connection settings on the Server tab of the OPC UA Server Form (see Configure the URL, Certificate, and Authentication Properties).

Some third-party OPC UA servers are stricter than others when evaluating the certificates. In addition to checking that the certificates match, some OPC UA servers also require that the application uri declared by the client and the hostname of the computer that is hosting the client are declared accurately in the certificate. The certificates and key that are used have to use the DER format.

You can use OpenSSL or other third-party tools to create the client certificate that Geo SCADA Expert has to present to the OPC UA server; check with your company whether a particular tool is recommended. If you opt to use OpenSSL, ensure that the bin folder of OpenSSL is declared in the PATH environment variable of your user account in Windows (for example, C:\Program Files\OpenSSL-Win64\bin).

The authors of OpenSSL do not provide OpenSSL as an installable program; instead, they recommend that users build OpenSSL from the source code that they provide. There are some public providers of OpenSSL installable programs; if you opt to use one of these programs, you do so at your own risk. For more information, see the Geo SCADA Knowledge Base.

We provide a sample configuration file below that you can use as the basis for a client certificate. You can open the file using a text editor program such as Notepad.

Sample Configuration File

 

If you wish, you can use this sample configuration file as the basis for creating a client certificate for your own system:

# OpenSSL 3.x configuration for generating
# a Geo SCADA Expert OPC UA client certificate
# Save as "OPCUAClient.cnf"

# Replace with unique name of your Geo SCADA Expert system.
opcua_app_name = <yourApplicationInstanceName>

[ req ]
distinguished_name = subject
x509_extensions = x509_ext
string_mask = utf8only
prompt = no

[ subject ]
# Replace with details of your location.
# For country name use the ISO 3166-1 Alpha-2 code.
countryName = <yourCountry>
localityName = <yourCity>
stateOrProvinceName = <yourState>

# Replace with details of your organization.
organizationName = <yourCompanyName>
organizationalUnitName = <yourOrganizationalUnitName>

# Replace with a friendly name because this is presented to the user.
commonName = <yourCommonName>

[ x509_ext ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyCertSign
extendedKeyUsage = clientAuth
subjectAltName = @alternate_names

[ alternate_names ]
URI.1 = urn:${opcua_app_name}:SchneiderElectric:ClearSCADA

With the sample configuration file:

• Copy the text above into a text editor, such as Notepad, and then replace the seven variables with appropriate values for your system. Then save to disk using the filename 'OPCUAClient.cnf'. You can do this on any machine, however the machine must have OpenSSL installed in order to complete the first 5 steps below. After that, perform steps 6 to 10 on a ViewX client.

• With the opcua_app_name property, replace <yourApplicationInstanceName> with the unique name of your own application instance. Do not include the angle brackets < >.

  The unique name can only comprise ASCII alpha-numerical characters and the hyphen character (-), as defined by RFC 8141. Additionally:

  • The first and last characters cannot be a hyphen.

  • The minimum length of the string is 2 characters.

  • The maximum length of the string is 32 characters.

  Each Geo SCADA Expert client that connects to an OPC UA server has to have a unique name to differentiate it from other Geo SCADA Expert clients. This refers to the system as a whole, not the individual hot-standby servers where the driver is running.

• Replace the entries in the [subject] section with your own country, locality, and organization details. Do not include the angle brackets < >. The countryName property should comprise the relevant ISO 3166-1 Alpha-2 code.

• Replace the entry for the commonName with suitable text that users of the certificate will see.

• Ensure that comments are preceded by a hash sign (#) and comprise just a single line.

• Ensure that each line of code comprises a single command, without any line wrapping.

Once your configuration file has the required content:

1. In Microsoft Windows, run the Command Prompt.

2. When the prompt is displayed, use the change directory command cd to change the working directory to the folder where you placed your certificate configuration file OPCUAClient.cnf

3. Run the following command to create the client certificate from that file:

   openssl req -x509 -noenc -newkey rsa:4096 -days 730 -keyout Temp.key -outform der -out OPCUAClient.cer -sha256 -config OPCUAClient.cnf

   (where OPCUAClient.cnf is the name of the configuration file that you are using as the basis for the certificate)

   When copying the above command from this topic, ensure that the whole of the copied command appears on a single line, without any line breaks.

   This command:

   • Creates an unencrypted 4096-bit RSA private key.

   • Creates a certificate with 2 year (730 day) lifespan, starting on the day that you create the certificate.

   • Creates a certificate using SHA256 signature algorithm.

   You can change these settings if need be.

4. Run the following command to convert the private key to DER format with no passphrase:

   openssl rsa -inform pem -in Temp.key -outform der -out OPCUAClient.key

   When copying the above command from this topic, ensure that the whole of the copied command appears on a single line, without any line breaks.

5. Delete the temporary PEM format key that was created in step 3:

   del /q Temp.key

   When copying the above command from this topic, ensure that the whole of the copied command appears on a single line, without any line breaks.

6. In the Geo SCADA Expert database, ensure that an SSL Certificate and Key database item exists for the new client certificate and key (see Use SSL Certificates for Driver Communications).

7. Import the certificate and key files that you created in steps 3 and 4 into SSL Certificate and Key database item (see Import an SSL Certificate into the Database).

8. On the Server tab of the OPC UA Server database item, use the browse button next to the Certificate and Private Key field to select the above SSL Certificate and Key database item (see Configure the URL, Certificate, and Authentication Properties)

9. Still on the Server tab, populate the Common Name field with the unique name of your own application instance that is used in the client certificate (see <yourApplicationInstanceName> above). (Despite its name, the field should NOT contain the certificate's subject common name.)

10. Save the configuration.