Porovnávané verzie

Stará verzia 52

changes.mady.by.user D2000 Dev Team

Uložené

porovnané s

Nová verzia Aktuálny

changes.mady.by.user D2000 Dev Team

Uložené

Kľúč

  • Tento riadok sa pridal
  • Riadok je odstránený.
  • Formátovanie sa zmenilo.

...

Info
titleGenerating client certificates

Generating client certificates for OPC UA using OpenSSL. On Windows we used https://slproweb.com/products/Win32OpenSSL.html.

Before generating, you need to create a file domain.ext with the following content:


subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=critical, CA:TRUE, pathlen:0
keyUsage = critical,  digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage = critical, serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = servername
URI.1 = urn:Scada:Ipesoft:D2000 Kom


Edit the URI.1 entry, syntax is urn:<computer>:<vendor>:<application>
and the DNS.1 entry (server name) if necessary.

Then generate a key (e.g. ProSoft PLX32-EIP-MBTCP-UA Multi-Protocol Gateway needed 2048-bit, other devices accepted 4096-bit):

openssl genrsa -out private.pem 2048

and generate a certificate signing request (CSR):

openssl req -new -key private.pem -out private.csr

Then, you need to enter several parameters. Following the UaExpert, we only fill in Organization Name, Common Name, and Email Address, and instead of the other parameters, we enter a dot (so that they are empty).

Country Name (2 letter code) [AU]:.
        State or Province Name (full name) [Some-State]:.
        Locality Name (eg, city) []:.
        Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany
        Organizational Unit Name (eg, section) []:.
        Common Name (e.g. server FQDN or YOUR name) []:kom@servername
        Email Address []:ipesoft@ipesoft.com
        
        Please enter the following 'extra' attributes
        to be sent with your certificate request
        A challenge password []:
        An optional company name []:

Then generate a certificate valid for days (10000 corresponds to approximately 27 years).

openssl x509 -req -days 10000 -in private.csr -signkey private.pem -out cert.crt  -extfile domain.ext

Convert the certificate cert.crt to der format:

openssl x509 -inform pem -in cert.crt -outform der -out cert.der

Copy the resulting certificate (cert.der) to the own directory and the private key (private.pem) to the private directory in the kom-opcua directory, see note.
Note: the private key/certificate generated in this way can also be used for the Unified Automation UaExpert tool.

...