Communication Encryption

Certificate encrypted connections will only be active if both encryption_cert_path and encryption_private_key_path are specified in the options configuration object and are nonempty. The encryption_cert_password option can be omitted if the private key at encryption_private_key_path is not password-protected.

To use communication encryption, the application_uri, security_mode and pki_root_path must also be specified in the options configuration object.

Create an Encryption Certificate on a Unix-type System

To create an encryption certificate using a Unix-like system, the following command can be used:
openssl req \
    -new \
    -newkey rsa:2048 \
    -days 3650 \
    -keyout encryption.key \
    -subj "/C=DE/ST=/O=Organization/CN=urn:ge.edge.research.com:GEPredix:OPCUAClient" \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=URI:urn:ge.edge.research.com:GEPredix:OPCUAClient")) \
    -x509 \
    -outform DER \
    -out encryption.der

Create an Encryption Certificate on a Windows System

  1. Download OpenSSL for your Windows device (32-bit or 64-bit).
  2. Navigate to where you downloaded the OpenSSL and install using the executable.
  3. We first need to build the Encryption key, which uses the default openssl.cfg file, but we need to modify it for Predix Edge by copying it to a new config called openssl_predix_edge.cfg and modifying this new file. From the folder in which you want to generate your encryption certificate, open a command prompt as Administrator and run: 
    copy C:\OpenSSL-Win64\bin\openssl.cfg C:\OpenSSL-Win64\bin\openssl_predix_edge.cfg && ^
    echo [SAN]\nsubjectAltName=URI:urn:ge.edge.research.com:GEPredix:OPCUAClient >> C:\OpenSSL-Win64\bin\openssl_predix_edge.cfg && ^
    C:\OpenSSL-Win64\bin\openssl.exe req ^
    -new ^
    -newkey rsa:2048 ^
    -days 3650 ^
    -keyout encryption.key ^
    -subj "/C=DE/ST=MA/O=Organization/CN=urn:ge.edge.research.com:GEPredix:OPCUAClient" ^
    -reqexts SAN ^
    -extensions SAN ^
    -config "C:\OpenSSL-Win64\bin\openssl_predix_edge.cfg" ^
    -x509 ^
    -outform DER ^
    -out encryption.der
  4. Your encryption.der and encryption.key files are now in the folder and need to be used in both the Predix Edge device and the OPC-UA server.

application_uri

The application URI will be in the form urn:URI:COMPANY:APPLICATION where you replace the URI, COMPANY, and APPLICATION fields with your URI, company and application name (see openssl command above). This is created when creating your encryption certificate in the subj parameter of the openssl command above.

security_mode

The following are the options for the security_mode field:
  • 'NONE'
  • 'BASIC128RSA15_SIGN'
  • 'BASIC128RSA15_SIGN_ENCRYPT'
  • 'BASIC256_SIGN'
  • 'BASIC256_SIGN_ENCRYPT'
  • 'BASIC256SHA256_SIGN'
  • 'BASIC256SHA256_SIGN_ENCRYPT'

This should match what is set on the OPC-UA server.

pki_root_path

The pki_root_path is where the client PKI structure is created. Default pki_root_path:
pki/
├── client
│   ├── revoked
│   └── trusted
└── issuer
    ├── certs
    └── revoked

The default pki_root_path is /tmp/pki but can be changed to a custom location where you’d like to store your encryption certificates.

This encryption certificate must be trusted by the server in order to form a secure connection.