Generating self-signed SSL certificate

Edit online

Generate the self-signed SSL certificate before you create a secure data source connection to the OPC UA server.

Before you begin

  • Take note of the Common Name (CN) for your SSL certificate.

    The CN is a fully qualified name for the system that uses the certificate. If you are using Dynamic DNS, your CN should have a wildcard. For example, *.api.com, else use the hostname or IP address set in your Gateway Cluster. For example, 192.16.183.131 or dp1.acme.com.

About this task

Complete the following steps to generate self-signed RSA certificate by using OpenSSL.

Procedure

  1. Create ssl.conf file in the openssl/bin installation directory.
  2. Copy the following to the ssl.conf file. 
    [ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName                = Locality Name (eg, city)
organizationName            = Organization Name (eg, company)
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64

[ req_ext ]
subjectAltName         = DNS.1:<hostname>,URI:urn:<hostname>:OPCUA:acmfgclient
    Note: Replace the <hostname> with the actual hostname of the computer.
  3. Add the RFC 5280 certificate extensions values depending on your certification requirement in the ssl.conf file.
    For example, the following certificate extensions values are added under [ req_ext ]:
    
extendedKeyUsage = serverAuth, clientAuth 
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
    Note: RFC 5280 certificate extensions indicate how the certificate can be used. For more information on the extensions parameters, see Application Instance Certificate.
  4. Open a command prompt window, and go to the openssl/bin directory.
    1. Type openssl to open the OpenSSL software.
    2. Generate your private key by using the following command: 
      genrsa -out privateKey.pem 4096
    3. Generate Certificate Signing Request (CSR) by using the following command: 
      req -new -sha256 -out private.csr -key privateKey.pem -config ssl.conf
    4. Generate your public certificate by using the following command: 
      x509 -req -sha256 -days 365 -in private.csr -signkey privateKey.pem -out clientCertificate.pem -extensions req_ext -extfile ssl.conf
  5. Combine your private key and certificate in a PKCS#12 (P12) bundle by using the following command: 
    pkcs12 -export -in clientCertificate.pem -inkey privateKey.pem -out clientPrivateKey.pem
    1. Specify a password when prompted.
      Important: You must specify the private key password.

What to do next

  1. Manually trust the client certificate in the server workstation.
    • Move the client certificate from the rejected folder to the certs directory in the PKI folder.
    • The Source Items are loaded only after you trust the certificate.
  2. Create a data source by using the generated self-signed RSA certificate.