Server Certificate

Unified Architecture topics related to OPC UA Specification, compliant behavior and any technical issues of OPC UA, like Security, Information Model, Companion Specs DI, PLCopen, ADI, ...

Moderator: Support Team

Post Reply
Mel
Sr. Member
Sr. Member
Posts: 10
Joined: 04 Mar 2014, 14:19

Server Certificate

Post by Mel »

Hi,

I have a question about the usage of server and client certificate.

The server send his certificate with its Endpoint Description to the client.
The client uses the public key for encryption and signing of his next message, the OpenSecureChannel request.
Within this messages he send his client certificate to the server.
Then the server can also use the public key for signing and encryption.

Is this right?
Does the client and server exchange one public key?
So the server, for instance, uses the same private key decryption and signing?

Another question, why does the server exchange his certificate a second time?
I think he exchanges his certificate a second time in his OpenSecureChannel Response?
What is the purpose with this second exchange?

Thank you very much for your help,
Mel

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Server Certificate

Post by Support Team »

Hi Mel,

Your description of the initial handshaking and certificate exchange is correct. GetEnpoints and the EndpointDescription is used by the client to get the server certificate. The client certificate is passed to the server with the OpenSecureChannel request.

The server does not send his certificate in the OpenSecureChannel response.

But client and server certificate are again exchanged in CreateSession request and response. This is necessary since applications may not have access to the secure channel layer, especially if the secure channel is not the standard UA TCP / UA Secure Conversation protocol. One example is OPC UA over HTTPS.

Best Regards,
Unified Automation Support Team

Mel
Sr. Member
Sr. Member
Posts: 10
Joined: 04 Mar 2014, 14:19

Re: Server Certificate

Post by Mel »

Hi,

thanks for your answer.

Are you sure, that the sever does not exchange its certificate with the OpenSecureChannel response message?
If I capture the data exchange between client and server with wireshark, i can identitfy the server certificate in the OpenSecureChannel response message.

And how do I have to understand the Table 30 on page 38 of the specification part 6?
There the asymmetric security header is shown.
I thought all Secure Channel messages use this asyymetric header and therefore the certificate of the server must be in the response message.

Hope you can help me to clear up my missunderstandings.

Thanks again,
Mel

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Server Certificate

Post by Support Team »

Hello Mel,

the server certificate is not sent in the OpenSecureChannelResponse - that's service level.
But you are right - the server certificate is part of the security header that is send before the OpenSecureChannelResponse in the body.
We were just talking of slightly different things.

Best Regards,
Unified Automation Support Team

jessepinkman
Jr. Member
Jr. Member
Posts: 3
Joined: 18 Jul 2015, 20:02

OPCUA asymmetric encryption

Post by jessepinkman »

Hello,
In the OPCUA specification we should use an Asymmetric encryption (in my case RSA 256 oaep) to encrypt the “OpenSecureChannel request” and “OpenSecureChannel response”.
My OpenSecureChannel request/response size = 2000 octets
RSA Algorithm support bloc size of ~217 octets or something like that (RSA blocSize = RSA_Size(key) – paddingSize)

How should i do to encrypt my request and my response ???
Should i use an operation mode (CBC for example) to split my plainText into a small blocs ?? Am i respecting the specification by doing that

please, even if you don’t know the answer, any idea can be helpful !!
Thank you

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Server Certificate

Post by Support Team »

Hello jessepinkman,

please read the forum rules, do not post same question in different threads !

find answer here:
http://forum.unified-automation.com/topic1585.html

Best Regards
Support Team

Post Reply