In some cases, a self-signed certificate is not sufficient; some programs require the certificate to be signed by a CA (even if it's a low-level one).
For these cases, it is possible to generate our own CA which will then sign our certificates. We can use these certificates for various purposes (for example, to authenticate our OPC UA servers or our OPC UA clients).
We are going to use the latest version of OpenSSL, which will allow us to generate 2048-bit certificates.
Step 1: Create the CA and its self-signed certificate: Command: openssl req -x509 -nodes -days 1000 -newkey rsa:2048 -keyout private_CA.pem -out cert_CA.crt
This will give us two files: private_CA.pem, the CA's private key, and cert_CA.crt, the CA's digital certificate.
Step 2: Now let's create a private key for, for example, a server: Command: openssl genrsa -out private_srv.pem 2048
Step 3: We already have the private key, let's create a signing request for the CA: Command: openssl req -new -key private_srv.pem -out cert_srv.csr
Step 4: Finally, let's create the certificate based on the CSR we just generated, signed with the CA's private key: Command: openssl x509 -req -in cert_srv.csr -CA cert_CA.crt -CAkey private_CA.pem -out cert_srv.crt -days 3650 -sha512
Step 5: Verify the signature openssl Command: verify -CAfile cert_CA.crt cert_srv.crt Expected response: cert_srv.crt: OK
We must now share the CA certificate (the one we used to verify the signature) so that the client can add it to the list of valid certificates in their browser.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article