Creating OPC UA Clients with security support

One of the core features of OPC UA is the support for security, which means we get cryptographically encrypted and signed protocol, user authentication and authorization support.

To make this work, each application instances (installation of a program) needs to have its own Application Instance Certificate and the according private key.

The applications can either generate self-signed certificates on their own, get some from a certificate authority using OPC UA GDS, or simply can be configured with certificates which haven been created manually by the user.

Because at the moment Qt OPC UA does not support certificate generation or GDS, this tutorial describes how to generate a self-signed OPC UA certificate on the command line using OpenSSL.

Create a new Application Certificate

To be able to generate a correct x509v3 certificate with all required extensions for OPC UA, we need to setup a configuration file with all the necessary information first.

Remember to change subject and subjectAltName to match your case.

It is important to insert the ApplicationURI of the application into the URI field of subjectAltName, and that the hostname of your PC or device is inserted in the DNS fields of subjectAltName. Alternatively, you can use IP field if your device does not support host names and you are working with static IPs. Future versions of Qt OPC UA will be able to generate the certificate for you with correct information. For now, you can create one using the OpenSSL command line tool.

Example: opcuaviewer.config

[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = URI:urn:foo.com:The%20Qt%20Company:QtOpcUaViewer,DNS:foo.com
subjectKeyIdentifier = hash
authorityKeyIdentifier=keyid:always,issuer:always

[ subject ]
countryName = DE
stateOrProvinceName = Berlin
localityName = Berlin
organizationName = The Qt Company
commonName = QtOpcUaViewer

Using this configuration file, OpenSSL is able to create a matching certificate for local use.

# create a self-signed certificate and private key
openssl req -new -x509  -config opcuaviewer.config -newkey rsa:2048 -keyout opcuaviewer.key -nodes -outform der -out opcuaviewer.der
# install the certificate and key into the application PKI directory
mv opcuaviewer.der /path/to/application/pki/own/certs/opcuaviewer.der
mv opcuaviewer.key /path/to/application/pki/own/private/opcuaviewer.pem
# secure private key file permissions
chmod 600 /path/to/application/pki/own/private/opcuaviewer.pem

It is important to secure the file permission of the private key, so that only the UA application can read it. For services (daemons), it is recommended to create dedicated unprivileged users accounts for this and make this user the owner of the key. For interactive applications, this key should be individual to the user. For interactive applications, it is also possible to password protect the key. In this case, the user needs to enter the password every time the application is started and loading the key. For this reason, password protected keys are not a good solution for unattended applications, because this would required to store the password in a configuration file.

You can dump the certificate data using OpenSSL to inspect the contents of the certificate:

        openssl x509 -in opcuaviewer.der -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            be:aa:41:79:8a:b0:4f:9a
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C = DE, ST = Berlin, L = Berlin, O = The Qt Company, CN = QtOpcUaViewer
        Validity
            Not Before: Nov  7 14:38:52 2018 GMT
            Not After : Dec  7 14:38:52 2018 GMT
        Subject: C = DE, ST = Berlin, L = Berlin, O = The Qt Company, CN = QtOpcUaViewer
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    [ skipped ]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign
            X509v3 Subject Alternative Name:
                URI:urn:foo.com:The%20Qt%20Company:QtOpcUaViewer, DNS:foo.com
            X509v3 Subject Key Identifier:
                B2:E8:5E:34:21:EA:67:CF:61:FC:14:94:18:C1:AD:13:89:83:CA:9B
            X509v3 Authority Key Identifier:
                keyid:B2:E8:5E:34:21:EA:67:CF:61:FC:14:94:18:C1:AD:13:89:83:CA:9B
                DirName:/C=DE/ST=Berlin/L=Berlin/O=The Qt Company/CN=QtOpcUaViewer
                serial:BE:AA:41:79:8A:B0:4F:9A

    Signature Algorithm: sha512WithRSAEncryption
         [ skipped ]

Configuring the UA Application

To make security working with the certificate created in the previous step, it is important to

  • Configure the correct Application Identity
    m_identity = m_pkiConfig.applicationIdentity();
  • Configure PKI locations so that the SDK can find the certificate, private key, trust list etc.

    See for instance the code from the Qt OPC UA Viewer Example:

    void MainWindow::setupPkiConfiguration()
    {
        const QDir pkidir =
                QDir(QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation) + "/pki");
    
        if (!pkidir.exists() && !copyDirRecursively(":/pki", pkidir.path()))
            qFatal("Could not set up directory %s!", qUtf8Printable(pkidir.path()));
    
        m_pkiConfig.setClientCertificateFile(pkidir.absoluteFilePath("own/certs/opcuaviewer.der"));
        m_pkiConfig.setPrivateKeyFile(pkidir.absoluteFilePath("own/private/opcuaviewer.pem"));
        m_pkiConfig.setTrustListDirectory(pkidir.absoluteFilePath("trusted/certs"));
        m_pkiConfig.setRevocationListDirectory(pkidir.absoluteFilePath("trusted/crl"));
        m_pkiConfig.setIssuerListDirectory(pkidir.absoluteFilePath("issuers/certs"));
        m_pkiConfig.setIssuerRevocationListDirectory(pkidir.absoluteFilePath("issuers/crl"));
    
        const QStringList toCreate = { m_pkiConfig.issuerListDirectory(),
                                       m_pkiConfig.issuerRevocationListDirectory() };
        for (const QString &dir : toCreate) {
            if (!QDir().mkpath(dir))
                qFatal("Could not create directory %s!", qUtf8Printable(dir));
        }
    }

    In the example, we extract pre-configured own and trusted certificates from the Qt resource system to a writable location in the file system. The remaining directories for issuer (revocation) lists are created manually.

PKI Folder Layout

Qt OPC UA uses the following folder layout:

FolderDescription
ownLocation to store the application's own certificates.
trustedA list of trusted application certificates or trusted CA certificates.
issuerA list of certificates for CAs which are not trusted but are needed to check signatures on certificates.
rejectedHere the application stores rejected certificates, so that they can later on be trusted by an Administrator. It is important to have a configured maximum number of files here. If this is reached, the oldest file should be deleted first. Without a limit, an attacker could fill the machine's hard disk with invalid connection attempts.

Each of the folders own, trusted, and issuers contain the subdirectory structure defined by the following table.

SubdirectoryDescription
certsContains the DER encoded X.509 v3 certificates. The files shall have a .der file extension.
privateContains the private keys. The format of the file may be backend specific. PEM encoded files should have a .pem extension. PKCS#12 encoded files should have a .pfx extension. The root file name shall be the same as the corresponding public key file in the certs directory. This folder only exists inside the own folder.
crlContains the DER encoded CRL for any CA certificates found in the certs directories. The files shall have a .crl file extension.

First connection

When connecting for the first time, the client needs to trust the server certificate.

The client should display a certificate warning (with cert details) and offer the possibility to save the certificate in its trust list. For an example, see Qt OPC UA Viewer Example.

When the client has accepted the server certificate, you can try to connect again. Now the server may reject the client's certificate. This is indicated by the generic error code BadSecurityChecksFailed. Server normally store rejected certificates in a special rejected folder. Administrator can move these into the trust list to trust clients. This avoids manually copying the client certificate to the server machine.

As soon as the server has trusted the client, you should be able to connect with security.

© 2024 The Qt Company Ltd. Documentation contributions included herein are the copyrights of their respective owners. The documentation provided herein is licensed under the terms of the GNU Free Documentation License version 1.3 as published by the Free Software Foundation. Qt and respective logos are trademarks of The Qt Company Ltd. in Finland and/or other countries worldwide. All other trademarks are property of their respective owners.