Can we use .PFX format to authenticate Ua client and server

[Mohamed.Ansari]

Hi there,

I am using c++ based Ua Demo Server application and it is using .der certificate and .pem private key file and the same is configured in the serverconfig.xml file and I am using UaExpert as client and here also I am using .der and .pem combination of certificate and private key. With this setup I am able to connect the UaExper to Ua Demo server. But I would like to know if it is possible to use the .PFX file format (where both the public certificate and private key can be embedded into one file) in the server as well in the UaExpert and authenticate each other. If someone has any idea, please let me know.

Thanks,
Ansari

[Support Team]

Hi,

the OPC Specification requires the .der format for the public key, and the private key (*.pem) should never be transferred to anybody (because it is private), in best case the private key is stored inside secure element.

The .pfx is a container that can hold poth in one file, and in order to use it with OPC UA you must extract the public key in der format. There are different tools you can use to do so (CertManager form Microsoft, OpenSSL command line, etc.). However the C++ SDK is not extracing anything, you must do yourself and put into the correct store location of C++ SDK. Whatever (proprietary) container you use for your certificate, in OPC UA protocol there is only one format allowed, which is DER.

We strongly recommend not to use pfx in order not to (accidently) give your private key to somebody (private key should never leave the device).