search

OPCFoundation / UA-.NETStandard

OPC Unified Architecture .NET Standard
Other
1.95k stars 945 forks source link

Problem with certificates generated by createcert.sh (openssl) #46

Closed eoursel closed 8 years ago

eoursel commented 8 years ago

There is an issue with the certificate generated with createcert.sh on Ubuntu 16.04 while the certifcate generated by OPC CertificateGenerator (generated on windows and copied to the linux host) is fine and accepted by the server. Find below the trace file. 

10:07:35.940 Loading application configuration file. /home/eric/lab/opc_f/UA-.NE
TStandardLibrary/SampleApplications/Samples/NetCoreConsoleServer/Opc.Ua.SampleSe
rver.Config.xml
10:07:36.377 Could not load private key for certificate UA Sample Server OpenSsl
CryptographicException 'error:23076071:PKCS12 routines:PKCS12_parse:mac verify f
ailure'
10:07:36.387 Could not load private key certificate from file: arizona.pfx OpenS
slCryptographicException 'error:23076071:PKCS12 routines:PKCS12_parse:mac verify
 failure'
10:07:36.396 Checking application instance certificate.
10:07:36.397 Could not load private key certificate from file: arizona.pfx OpenS
slCryptographicException 'error:23076071:PKCS12 routines:PKCS12_parse:mac verify
 failure'
10:07:36.400 Could not load private key certificate from file: arizona.pfx OpenS
slCryptographicException 'error:23076071:PKCS12 routines:PKCS12_parse:mac verify
 failure'
10:07:36.403 ServiceResultException:One or more errors occurred. (Cannot access 
certificate private key. Subject=CN=UA Sample Server, DC=arizona)
barnstee commented 8 years ago

@eoursel. Martin, who wrote the script, is currently on vacation, but will have a look when he returns in 2 weeks' time.

mregen commented 8 years ago

@eoursel sorry I can't repro this here on Ubuntu 16.04. Please check this: i) there should not be a password set on the private key. Just hit twice return. ii) rename or delete the ./OPC Foundation/ folder before ./createcert.sh is run to make sure there are only the new certs in the CertificateStore. If it still doesn't work could you send me the failing .der & .pfx certs?

eoursel commented 8 years ago

@mregen you are right that's the password of the private key. I would recommend to add the option -passout like

openssl pkcs12 -export -in cert.pem -inkey cert.key -out $MYHOSTNAME.pfx -nodes -passout pass:

in order to avoid entering a password. As a matter of fact, i would try to automate the creation of a docker container with the UA server and it's a mandatory requirement to have a completely automated script with no operator interaction.

Anyway, there is at least a cyber security issue if we can't use a private key protected by a password to start a server. Ok i know that the TPM library @barnstee mentioned is certainly a clever solution.

Regards

Eric

mregen commented 8 years ago

@eoursel Thanks, good point, I will fix the scripts. The scripts are only meant to be used to run the samples, not in production. For the pw support for the private keys we should have a feature request to make sure it is properly supported if required.

mregen commented 8 years ago

51 to improve cert handling.