OPC UA : Client certificate creation

Below tutorial will teach you how to create client certificate for use within production environments. This tutorial focuses on preparation of configuration. It does not dive in X.509 and PKI details nor specifics of any OPC-UA server.

The Apache PLC4X client, as many other UA clients is able to create ad-hoc certificate for communication. While it softens entry bearer for many, it creates also a gap when with secured environments, which control certificate chains.

There are several ways on how to organize certificates. In this little tutorial we will use open source tool called KeyStore Explorer, referred herein as KSE. This tool allows to create files which can be used as a cryptographic keystore for Java-based programs but not only. One of nice things which Java runtime introduced, was change of default keystore format from JKS (Java KeyStore) to PKCS#12.

Creating self-signed certificate using KSE

Install the tool using the way which is valid for your operating system, then open the tool.

Entire process can be observed in below short screen capture:

Creation of self-signed certificate authority using KeyStore Explorer

Step by step operations are.

  1. Navigate to File  New or press CTRL+N to create new keystore.

    Create new keystore

  2. Pick PKCS#12 as desired store format.

    Use PKCS#12 format

  3. Navigate to Tools  Generate key pair or press CTRL+G:

    Create new key pair

  4. Decide on key type (RSA, DSA, EC) and its size. RSA is a fairly common, confirm key size and click OK

    Pick key type and size

  5. KSE will ask you about certificate details

    Certificate settings

  6. Go to Name field and click little phone book icon and click it. You will be able to specify common name (CN), organization unit (OU) and other fields, and confirm with OK

    Certificate name details

  7. Click Add Extensions, which is located below Name field (you will again see step 5 window), it will open next popup.

    Add extension popup

  8. Click Use Standard Template, select CA, then click OK.

    Use CA template

  9. This will fill extensions with few rows, but do not close this window yet.

    CA certificate extensions details

  10. Click + next to the list, and select Subject Alternative Name, then click OK.

    Add subject name

  11. You will see again window with list, click + next to it.

    Subject alternative names list

  12. Select URI, and type client identifier in General Name Value field (i.e. urn:my:plc:client), and confirm via OK.

    Add subject alternative name

  13. Click OK to close certificate extensions prompt.

  14. Click OK to finish certificate creation.

  15. Enter key pair alias and confirm with OK.

    Specify key pair alias

  16. Enter private key password, confirm it in second field and click OK.

    Specify private key password

  17. Upon completion of these steps you should be presented with "Key Pair Generation Successful" message.

    Completion of key generation

  18. Navigate to File  Save or press CTRL+S to save keystore.

    Save keystore

  19. Enter keystore password, for use within Java it must be same as private key password.

    Save keystore

  20. Specify file location.

    Save keystore

  21. Close KSE, your client private key and certificate is ready for use.

Usage within OPC UA PLC4X client

For detailed use of options used to configure client please refer to documentation of Apache PLC4X OPC-UA driver. Please remember that keystore must be readable by your program. In case if you are not certain what is working directory of your program, specify full path to keystore.