Signing X.509 Server Certificate with Certificate Authority

Unified Architecture topics related to OPC UA Specification, compliant behavior and any technical issues of OPC UA, like Security, Information Model, Companion Specs DI, PLCopen, ADI, ...

Moderator: Support Team

Post Reply
jonathang
Hero Member
Hero Member
Posts: 32
Joined: 02 Nov 2015, 19:07

Signing X.509 Server Certificate with Certificate Authority

Post by jonathang »

Dear Support Team,

We wrote an OPC UA Server using Unified Automation .NET Server SDK version 2.5.2 (.NET Framework 4.6.1) that is currently running with a self-generated X.509 Certificate. We would like to have that certificate signed by a trusted Certificate Authority or replaced with one purchase from a trusted Certificate Authority.

We contacted a few companies that sell SSL certificates like Symantec, but they do not seem to understand what we need and could not help us.

Can you recommend a CA that can provide signed X.509 Application Instance certificates?

Is signing with a 3rd party CA something that should be done for a production OPC UA Server?


Sincerely,

Jonathan

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Signing X.509 Server Certificate with Certificate Author

Post by Support Team »

Hello Jonathan,

the concept of using CA signed certificate requires that a CA is trustable for your scope. The well known CAs also used in internet browers are not usable for controlling communication between UA clients and UA servers by checking the certificates.
e.g. If you put the Symantec CA cert into your servers trustlist that would mean every application (UA Client) that has it's certificate signed by that CA can access your UA server - you certainly don't want that.

You typically have your own CA (e.g. for the machine, line or factory) and control which AIC (Application Instance Certificate) shall have access.
Customers usually want to have controll who can access the OPC UA product (client or server) and you loose that control if you work with 3rd party CAs.
Best regards
Unified Automation Support Team

jonathang
Hero Member
Hero Member
Posts: 32
Joined: 02 Nov 2015, 19:07

Re: Signing X.509 Server Certificate with Certificate Author

Post by jonathang »

Dear Support Team,

Thank you very much for your reply.

Do you consider it enough to use a self-signed certificate in a production server?

If we decide to run multiple OPC UA servers for load balancing, can the servers share the same certificate or have a duplicate of the same certificate installed?
If certificates are generated with the same information in the config file, would they automatically belong to the same CA?


Sincerely,

Jonathan

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Signing X.509 Server Certificate with Certificate Author

Post by Support Team »

Hi Jonathan,

Using self-signed certificates is not a general problem. It is easier to manage in small setups with a few servers and clients. But CA signed certificates are better if you need to manage a larger number of clients and servers.

You can share a certificate between servers only in the case of transparent redundancy. In this case, all servers have the same network address and are logically one OPC UA application.

If you have servers running on different network addresses and different logical OPC UA applications, it is not possible to share a certificate since it uniquely identifies an OPC UA application and it also contains the host name / IP address which is checked by the client.
Best regards
Unified Automation Support Team

jonathang
Hero Member
Hero Member
Posts: 32
Joined: 02 Nov 2015, 19:07

Re: Signing X.509 Server Certificate with Certificate Author

Post by jonathang »

Dear Support Team,

Thank you very much for your reply.

If we want to sign our certificate with a CA, can you recommend someone?

We purchased a certificate from Digicert for code-signing but it is not what we need for OPC UA and they could not help us with application certificates.


Sincerely,

Jonathan

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Signing X.509 Server Certificate with Certificate Author

Post by Support Team »

Hello Jonathan,

we can not recommend a specific CA for signing your server certificates. It depends on your application requirements and the overall security context your server and client application lives in.

You could create your own CA and sign your certs yourself. You than let trust all clients with that CA and they can connect ot all signed servers. However you need to maintain this CA infratructure including updating/maintaining revocation list.

In industrial scenario most probably not the manufacturer of the "device" (UA Server) will sign the servers certificate. More likely the the plant or facility operator would have his CA infrastructure running. Hence your UA certificate must be signed by the operator's CA.

Example: BMW production plant has machines (with PLCs inside having UA servers running) from Siemens and Bosch and Beckhoff and others. Now these PLCs will not have certificates signed by their manufactirer e.g. Siemens. More likely BMW is running their own CA inside the plant, and they will get signing requests from the different UA servers within the different machines. Finally all PLCs (independantly of the device manufacturer) will have CA signed certificates, signed by the plant operator's CA (BMW). The security for accessing machines is in full control of the plant operator and complies to his security requirements, independently of the device/machine manufacturer.
Best regards
Unified Automation Support Team

Post Reply