Hello !
I finally managed to use certificates generated by openssl in the OPC UA Server.
Create a ssl.conf file :
[ req ]
default_bits = 3072
serial = 0
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no
[ req_ext ]
basicConstraints = critical, CA:false, pathlen:0
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage = critical, serverAuth
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
subjectAltName = URI:urn:PFC200V3-48117C:WAGO:WAGO%20750-8210%20PFC200%20G2%204ETH:OPCUA:Server,DNS: PFC200V3-48117C.home,IP:192.168.68.210
[ subject ]
#countryName = YOURCOUNTRYCODE
#stateOrProvinceName = YOURSTATE
#localityName = YOURLOCATION
#organizationName = YOURCOMPANYNAMEHERE
commonName = OPCUAServer@PFC200V3-48117C
Adapt the IP address and DNS in SubjectAltName, and also the commonName
The subjectAltName URI MUST match the Ctrl Configuration Name in the OPC UA configuration, otherwise it will not be detected as an OPC UA server certificate.
Generate the RSA private key :
openssl genrsa -out key.pem 3072
Generate the certificate for the server :
openssl req -x509 -days 365 -new -key key.pem -out certificate.pem -config ssl.conf
Export the certificate in pkcs12 format
openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in certificate.pem
(You can fill in a password, or not)
Now in CODESYS Security Screen, go on your Devices and click on folder Own certificates.
Click on the button on the left to upload the certificate you have previously created using openssl.
It should be detected as “OPC UA Server”, otherwise there is an error in your ssl.conf file.
Then you can connect using your favorite OPC UA client as usual.
You will have to trust the server certificate at first, and to move your client certificate from Quarantined Certificates to Trusted certificates.