Ignition OPCUA Niagara 4 certificate

Romain_Boyer · May 2, 2024, 11:42am

Hi,
I have Ignition 8.1.38, I try to connect Niagara 4 to Ignition but I have problem with certificate.
During connection I see under certificate Niagara 4 certificate under Quarantined Certificates, I trust this certificate but under Niagara I have this error and connection doesn't working :

SEVERE [07:40:12 02-May-24 EDT][opcUaClient.certificateValidator] Certificate C=US,ST=CA,L=Folsom,OU=,O=Inductive Automation,CN=Ignition OPC UA Server failed trust validation: Unable to construct a valid chain
INFO [07:40:12 02-May-24 EDT][opcUaClient.certificateValidator] Exemption approved for host: 10.5.1.50:62541
SEVERE [07:40:13 02-May-24 EDT][opcUaClient.client] Exception occurred during ping for device OpcUaDevice with appURI urn:localhost:OPCUA:NiagaraOpcUaClient: com.prosysopc.ua.client.ConnectException: Failed to create secure channel to server: : opc.tcp://10.5.1.50:62541 [Profile Reporting Links] ServiceResult=Bad_SecurityChecksFailed (0x80130000) "An error occurred verifying security."

Any idea ?

Thanks

Kevin.Herron · May 2, 2024, 12:12pm

You’ll have to share the ignition logs and your certificate as well.

Romain_Boyer · May 2, 2024, 12:38pm

This is log

and my certificate

Kevin.Herron · May 2, 2024, 12:56pm

Can you upload that certificate file somewhere? DM or email it to me?

Romain_Boyer · May 2, 2024, 1:03pm

I don't see DM section, can you give me your email

Kevin.Herron · May 2, 2024, 1:09pm

It's my first name @inductiveautomation.com .

Kevin.Herron · May 2, 2024, 1:29pm

This certificate is missing a basicConstraints extension, which is a mandatory (at this time, anyway...) field for certificate used as an OPC UA application instance certificate.

You'll have to work with the vendor to generate a new one that has the required extension.

https://reference.opcfoundation.org/Core/Part6/v105/docs/6.2.2

Romain_Boyer · May 2, 2024, 1:38pm

Ok so I need to add CA flag to basicConstraints ?

Kevin.Herron · May 2, 2024, 2:08pm

Yes

Romain_Boyer · May 3, 2024, 5:26pm

Solution :

Per Section 6.2.2 of the OPC UA Reference, "Self-signed Certificates shall also include keyCertSign".

Several OpcUa server implementations have interpreted this to mean, that they should reject any certificate that does not comply. To ensure compatibility, we devised a way to make our OpcUaClient implementation use a cert with the keyCertSign usage. Since our framework is currently designed to require a password on any cert that has the keyCertSign usage, the solution requires extra steps.

Use Niagara version 4.10u2, or 4.11u1, or newer.
Create the cert/key pair using one of the attached scripts. gen-opc-cert.bat is a Windows batch script, and gen-opc-cert.sh is a bash script that can be run on Linux or in WSL. You can use either one, but both require that you have OpenSSL installed.
Import the PEM file (created in the previous step) into the User Key Store of the Certificate Management Service for the host, using a password for encryption.
In the Certificate slot on the Opc Ua Device, enter the name of the alias used for importing the cert/key above.
Using the HTML5 Property Sheet (or the AX Slot Sheet), add a new dynamic slot on the Opc Ua Device with the slot name serverKeyPassword where the Type is baja:Password.
Set the value of the serverKeyPassword property to be the encryption password that you specified when importing the certificate.

Note: global certificate password is a functionality introduced in Niagara 4.13. In Niagara 4.13+, this feature can be utilized instead of the serverKeyPassword property.

Script (.bat)

@echo off

where openssl >nul 2>nul
if %errorlevel% neq 0 (
  echo OpenSSL not available. Please install and try again. >&2
  exit /b 1
)

set /p hostname="Enter the client hostname [%COMPUTERNAME%]: "
if [%hostname%] == [] (
	set hostname=%COMPUTERNAME%
)

set /p validity="Enter certificate validity in days [365]: "
if [%validity%] == [] (
	set validity="365"
)

set /p pemfile="Enter destination file [.\client.pem]: "
if [%pemfile%] == [] (
	set "pemfile=.\client.pem"
)

set "conffile=%tmp%\opc-cert-generator-%random%-openssl.cnf"

(
echo ^
[ req ]^

distinguished_name = distinguished_name^

x509_extensions = exts

echo:
echo ^
[ distinguished_name ]^

countryName                     = Country Name ^(2 letter code^)^

countryName_default             = US^

countryName_min                 = 2^

countryName_max                 = 2^

stateOrProvinceName             = State or Province Name ^(full name^)^

localityName                    = Locality Name ^(eg, city^)^

0.organizationName              = Organization Name ^(eg, company^)^

organizationalUnitName          = Organizational Unit Name ^(eg, section^)^

commonName                      = Common Name ^(e.g. server FQDN or YOUR name^)^

commonName_default              = %hostname%^

commonName_max                  = 64^

emailAddress                    = Email Address^

emailAddress_max                = 64

echo:
echo ^
[ exts ]^

basicConstraints = critical, CA:TRUE^

subjectKeyIdentifier = hash^

authorityKeyIdentifier = keyid:always, issuer:always^

keyUsage = critical, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyCertSign^

extendedKeyUsage = clientAuth^

subjectAltName = URI.1:urn:localhost:OPCUA:NiagaraOpcUaClient
) > "%conffile%"

set "certfile=%tmp%\opc-cert-generator-%random%-cert.pem"

openssl req -x509 -newkey rsa:2048 -config "%conffile%" -keyout "%pemfile%" -out "%certfile%" -sha256 -days %validity%
if %errorlevel% neq 0 (
  echo error generating cert >&2
  del "%certfile%" 2>nul
  del "%pemfile%" 2>nul
  del "%conffile%" 2>nul
  exit /b 1
)

type "%certfile%" >> "%pemfile%"
echo Cert written to %pemfile%
del "%certfile%" 2>nul
del "%conffile%" 2>nul