node-red-contrib-opcua icon indicating copy to clipboard operation
node-red-contrib-opcua copied to clipboard

Published 20 hours ago verified publisher icon mikakaraila

OPC UA Server Node and issuing/creating Certificates

Open youngkzy opened this issue 2 years ago • 3 comments

QUESTION: I have used Kepwarer to issue Trusted Server and Trusted Client Certificates. Lets say I do not have this tool to do so. Can you please go over the "Best Practice" for issuing Trusted Server and then Trusted Client Certificates to be used on Client and Server? What software or process works? What would you do? And issuing them with a long end date period so to limit expiring Certificates? Thanks,

youngkzy avatar Jul 08 '22 00:07 youngkzy

If server don´t accept anonymous user and access level & permissions are configured that only users with the suitable role can write value / execute methods then I expect there is some certificate renewal interval 1-2 years or even more good practise.

This will keep following:

  1. Only trusted clients with strong certificates can access server
  2. Access level will control general level read / write access to variables
  3. Permissions can be used to allow write / methods execution to only selected users with the role like operator / engineer See WellKnownRoles from the OPC UA specification: https://reference.opcfoundation.org/v104/Core/docs/Part3/4.8.2/

mikakaraila avatar Jul 08 '22 13:07 mikakaraila

I'm pursuing UAExpert to use on Linux and Windows. I was also wondering about Kleopatra Certificate manager to see if you can use it to manage the OPC UA Certifications. I would like to understand better the usage of Certificates vs. 'None' when it comes to Certificate and signing. Kepware is pretty good to go over this topic and additionally Anonymous vs. Login/Password for security. No need to explain Certificates, but just if you can use any tool, Like Kepware, UAExpert to build/Create and manage them. Kepware and Windows is pretty straight forward, But Linux cannot run Kepware. Do you know of any educational documents or otherwise that goes over this OPC UA topic? Thanks

youngkzy avatar Jul 11 '22 01:07 youngkzy

Look node-opcua and certificate manager. It "automates" a lot and Etienne is adding certificate expiration alarm.

It is new feature to get notification (alarm) before certificate has expired.

mikakaraila avatar Jul 12 '22 06:07 mikakaraila

Latest version is not anymore using openssl, instead internal crypto packages.

mikakaraila avatar Jul 04 '23 10:07 mikakaraila