Step by step C# application with certificats|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Step by step C# application with certificats
Avatar
Régis CHABASSIER
New Member
Members
Forum Posts: 2
Member Since:
02/14/2022
sp_UserOfflineSmall Offline
1
02/21/2022 - 07:03
sp_Permalink sp_Print

Hello

I have to create a communication between my application (in C#) and an OPC UA server (KepWare).
For the moment, I succeeded to communicate without any security.
So now I want to use certificates. But I don't succeed to use them.

So I am looking for "Step by step" way to implement certificates in my C# application.

What I have done :
- Have a look to OPC Foundation sample => not working and I
- Try to use Opc.Ua.ConfigurationTool => not working but not sure to really understand what I have to do exactlly with this tool.
- Read lot of documents that explain the theory. But now I have to implement.
- I use official OPC Foundation Nugets package

 

Thanks for help!

Avatar
Randy Armstrong
Admin
Forum Posts: 1564
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
02/22/2022 - 11:29
sp_Permalink sp_Print

The C# samples should automatically create any certificates they need when they start up.

Here is the documentation:

https://github.com/OPCFoundati.....ficates.md

Avatar
Régis CHABASSIER
New Member
Members
Forum Posts: 2
Member Since:
02/14/2022
sp_UserOfflineSmall Offline
3
03/01/2022 - 07:03
sp_Permalink sp_Print

Thanks for answer but didn't help me.

Documentation didn't explain how to implement security (only theory)

 

Examples didn't work
I want to create a new application.

But, as I understand it, I have to use a sample application to create the certificates and then use them in my own application ?

Seems to be complicated !

 

My first question was : I am looking for a detailed procedure to use the certificates.

For the moment I can communicate without any security !

Avatar
Randy Armstrong
Admin
Forum Posts: 1564
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
03/01/2022 - 16:03
sp_Permalink sp_Print

All applications built with the NETStandard codebase can create their own certificate when they start (i.e. when CheckApplicationCertificate is called).

// check the application certificate.
bool haveAppCertificate = await application.CheckApplicationInstanceCertificate(
false, CertificateFactory.DefaultKeySize, CertificateFactory.DefaultLifeTime).ConfigureAwait(false);
if (!haveAppCertificate)
{
throw new Exception("Application instance certificate invalid!");
}

The location and contents of the auto-created certificate are specified in the configuration file.

<!-- Where the application instance certificate is stored (MachineDefault) -->
<ApplicationCertificate>
<StoreType>Directory</StoreType>
<StorePath>./pki/own</StorePath>
<SubjectName>CN=Quickstart Reference Server/DC=localhost</SubjectName>
</ApplicationCertificate>

The configuration file also specifies the location of the trust list as a directory on disk.

<!-- Where the issuer certificate are stored (certificate authorities) -->
<TrustedIssuerCertificates>
<StoreType>Directory</StoreType>
<StorePath>./pki/issuer</StorePath>
</TrustedIssuerCertificates>

<!-- Where the trust list is stored (UA Applications) -->
<TrustedPeerCertificates>
<StoreType>Directory</StoreType>
<StorePath>./pki/trusted</StorePath>
</TrustedPeerCertificates>

If client A wants to communicate with application B.

Then server B certificate must be copied to the trust list of client A (location in client A configuration file)

AND

Then client ! certificate must be copied to the trust list of server B (location in server A configuration file)

The rejected certificate folder stores untrusted certificates that allow an admin to review them before copying to the trust list. The location of the rejected folder is also in the configuration file.

<!-- The directory used to store invalid certficates for later review by the administrator. -->
<RejectedCertificateStore>
<StoreType>Directory</StoreType>
<StorePath>./pki/rejected</StorePath>
</RejectedCertificateStore>

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 23
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1435
Posts: 4855