Generating self-signed SSL certificate

Edit online

Generate the self-signed SSL certificate before you create a secure data source connection to the OPC UA server.

Before you begin

  • Take note of the Common Name (CN) for your SSL certificate.

    The CN is a fully qualified name for the system that uses the certificate. If you are using Dynamic DNS, your CN should have a wildcard. For example, *.api.com, else use the hostname or IP address set in your Gateway Cluster. For example, 192.16.183.131 or dp1.acme.com.

About this task

Complete the following steps to generate self-signed RSA certificate by using OpenSSL.

Procedure

  1. Generate a self-signed RSA certificate by creating a data source with the following properties.
    • Message Security Mode
    • Security Policy
    • Client Private Key File
    • Client Certificate File
    • Private Key Password
    For more information, see Creating a data source.
  2. Optional: You can also generate a self-signed RSA certificate by following this procedure.
    1. Create ssl.conf file in the openssl/bin installation directory.
    2. Copy the following to the ssl.conf file. 
      [ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName                = Locality Name (eg, city)
organizationName            = Organization Name (eg, company)
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64

[ req_ext ]
subjectAltName         = DNS.1:<hostname>,URI:urn:<hostname>:OPCUA:acmfgclient
      Note: Replace the <hostname> with the actual hostname of the computer.
    3. Add the RFC 5280 certificate extensions values depending on your certification requirement in the ssl.conf file.
      For example, the following certificate extensions values are added under [ req_ext ]:
      
extendedKeyUsage = serverAuth, clientAuth 
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
      Note: RFC 5280 certificate extensions indicate how the certificate can be used. For more information on the extensions parameters, see Application Instance Certificate.
    4. Open a command prompt window, and go to the openssl/bin directory.
    1. Type openssl to open the OpenSSL software.
    2. Generate your private key by using the following command: 
      genrsa -out privateKey.pem 4096
    3. Generate a Certificate Signing Request (CSR) by using the following command: 
      req -new -sha256 -out private.csr -key privateKey.pem -config ssl.conf
    4. Generate your public certificate by using the following command: 
      x509 -req -sha256 -days 365 -in private.csr -signkey privateKey.pem -out clientCertificate.pem -extensions req_ext -extfile ssl.conf
    5. Combine your private key and certificate in a PKCS#12 (P12) bundle by using the following command. Specify a password when prompted. 
      pkcs12 -export -in clientCertificate.pem -inkey privateKey.pem -out clientPrivateKey.pem
      Important: You must specify the private key password.

What to do next

Manually trust the client certificate in the server workstation.
  • Move the client certificate from the rejected folder to the certs directory in the PKI folder.
  • The Source Items are loaded only after you trust the certificate.