About OPC UA certificate authentication([Basic Constraints])

[k.maeda]

Hi SupportTeam,

I'm developing OPC UA Server with UaSDKCpp.
I have question about OPC UA certificate authentication.

I trying to certificate authentication from the next operation.
(1) Put the CA certificate in the TrustedList.
(2) Issue a certificate chained from the CA certificate of (1).
(3) Distribute the certificate of (2) to the client.
(4) The client performs SSL communication using the certificate of (3).

In doing the above,
I would like to prohibit that the certificate forged from the certificate of (3) is authenticated.

For the above reason,
I would like to specify [Basic Constraints]->[pathLenConstraint] to CA certificate.

In Unified Automation,
do you prohibit certificate authentication with a certificate behind the hierarchy specified in [Basic Constraints] -> [pathLenConstraint]?

[Support Team]

Hello k.maeda,

so you want your CA to sign a certificate that can not act as a CA again.
There are multiple settings that need to be considered:

BasicConstraints:
- Subject Type = End Entity (this setting is set to CA for CA certs)
- Path Length Constraint (default = None if you don't want to restrict the length)

Key Usage:
- Off-line CRL Signing (for CA only)
- CRL Signing (for CA only)


So just setting the Path Length Constraint to 1 probably works but isn't really correct. You should also set the Subject Type and Key Usage flags correctly.