Online Forums
Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.
Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.
Do not use the Contact page for technical issues.
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Missing CertificateGenerator.exe; Using custom cert/key pair
Missing CertificateGenerator.exe; Using custom cert/key pair
Regarding the configuration tool: I would expect that you can get it by downloading and installing ".NET Stack and Sample Applications", from opcfoundation.org/developer-tools/samples-and-tools-unified-...stack-and-sample-applications/ . But I have checked today and the download appears to be gone. Currently, to my knowledge, this means that the only way to get the tool is to get the sources form GitHub (github.com/OPCFoundation/UA-.NET-Legacy ) and build them; it should be the "UA Configuration Tool.sln" solution.
Regarding the use of Windows Certificate Store: I have realized that the documentation is really lacking in this respect; all your questions make perfect sense, but are not covered in the User's Guide yet. This will improve in QuickOPC 2018.3. For now, I made the newly created parts of the doc (that are not yet released) available over our Knowledge Base: kb.opclabs.com/A_primer_on_OPC_UA_certificate_stores . There is the example you have asked for as well.
Best regards
Please Log in or Create an account to join the conversation.
- chrisstankevitz
- Topic Author
- Offline
- Premium Member
- Posts: 9
- Thank you received: 0
- Can you help me use the tool that comes with some OPC downloads to manage my QuickOPC keys/cert? (let me know if I misunderstood that). What is it called?
- How do I tell QuickOPC that I would like to use key/cert pair from the Windows Certificate Store? Do you have an example of that?
Thank you,
Chris
Please Log in or Create an account to join the conversation.
I should have elaborated my reply more. Here are the missing bits:
Just to be clear, QuickOPC supports Windows certificate stores, and directory-based stores, and you can choose. We are talking directory-based stores now. Parts of the discussion applies to Windows cert stores as well, but not everything.
Each directory-based certificate store resides in folders and files in the underlying file system of the OS. The directory-based store has generally two sub-folders: "certs", and "private". The certificates *without* the private key go into the "certs" folder, in .DER format. The certificates *with* the private key go into the "private" folder. It is up to you to secure the folder well (each differently, probably!), using the file system permissions mechanism.
Passwords are not used with private keys. This is the way OPC Foundation code does it - even in their latest .NETStandard fork. I am not sure what the design decision behind this is; I plan to ask the person who designed it, inside OPC Foundation, later this year when I meet him.
You can manage the certificates in directories or Windows stores manually, OR you can use a GUI tool that comes with some OPC Foundation downloads. I wanted to put a link here but I cannot currently reach their site. If you need it, let me know and I will retry.
Best regards
Please Log in or Create an account to join the conversation.
- chrisstankevitz
- Topic Author
- Offline
- Premium Member
- Posts: 9
- Thank you received: 0
What format should the private key be in? PFX? Should it be encrypted? If so, with what password? It seems weird that I would place an un-encrypted private key in that directory.
Thank you again,
Chris
Please Log in or Create an account to join the conversation.
Ad 1. The information you found int he User's Guide is obsolete, I apologize. I will make sure it gets updated in the next version. Under normal circumstances, you do not need CertificateGenerator.exe, and it is not placed physically onto the disk by QuickOPC. If you need it, it has to be obtained from OPC Foundation.
Ad 2. I hope following examples will explain it.
// This example demonstrates how to set the application name for the client certificate.
using System;
using OpcLabs.BaseLib.Instrumentation;
using OpcLabs.EasyOpc.UA;
namespace UADocExamples._UAApplicationParameters
{
class ApplicationName
{
public static void Main1()
{
UAEndpointDescriptor endpointDescriptor =
"opc.tcp://opcua.demo-this.com:51210/UA/SampleServer";
// or "http://opcua.demo-this.com:51211/UA/SampleServer" (not in .NET Standard)
// or "https://opcua.demo-this.com:51212/UA/SampleServer/"
// Hook static events
EasyUAClient.LogEntry += EasyUAClientOnLogEntry;
try
{
// Set the application name, which determins the subject of the client certificate.
// Note that this only works once in each host process.
EasyUAClient.SharedParameters.EngineParameters.ApplicationParameters.ApplicationName =
"QuickOPC - CSharp example application";
// Do something - invoke an OPC read, to trigger some loggable entries.
var client = new EasyUAClient();
client.ReadValue(endpointDescriptor, "nsu=http://test.org/UA/Data/;i=10853");
// The certificate will be located or created in a directory similar to:
// C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs
// or
// C:\Users\All Users\OPC Foundation\CertificateStores\UA Applications\certs\
// and its subject will be as given by the application name.
Console.WriteLine("Processing log entry events for 10 seconds...");
System.Threading.Thread.Sleep(10 * 1000);
Console.WriteLine("Done.");
}
finally
{
// Unhook static events
EasyUAClient.LogEntry -= EasyUAClientOnLogEntry;
}
}
// Event handler for the LogEntry event.
// Print the loggable entry containing client certificate parameters.
private static void EasyUAClientOnLogEntry(object sender, LogEntryEventArgs logEntryEventArgs)
{
if (logEntryEventArgs.EventId == 161)
Console.WriteLine(logEntryEventArgs);
}
}
}
QuickOPC first tries to find the certificate by the name you have given. If it finds it, it uses it. It will create a certificate with the given name if it does not find it.
Best regards
Please Log in or Create an account to join the conversation.
- chrisstankevitz
- Topic Author
- Offline
- Premium Member
- Posts: 9
- Thank you received: 0
1. Missing CertificateGenerator.exe
According to [1], I should have an application called `C:\Program Files (x86)\Common Files\OPC Foundation\UA\v1.0\Bin\Opc.Ua.CertificateGenerator.exe`.
The path does not exist. Where can I find CertificateGenerator.exe?
2. Custom Certificate/Key Pair
How do I ask QuickOPC to use a "custom" certificate and key that I generated through a "3rd party" process? I have been provided the certificate and key that I am to use, and I would like to "load it" into the QuickOPC "Certificate Store" so that my app will use it.
Thank you,
Chris
[1] www.opclabs.com/files/documents/QuickOpc/Latest/User's%20Guide-QuickOPC.pdf
Please Log in or Create an account to join the conversation.
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Missing CertificateGenerator.exe; Using custom cert/key pair