Certificate and Private key OPC UA telegraf plugin

Does anyone have any experience integrating telegrafs OPC pluggin and FactoryTalk linx gateway? I’ve successfully did a test pull of data with security policy set to none, but I can’t figure out the private key path when I apply a security policy. Here are my steps:

  • i first verified the connection was working with Matrikon OPC UA explore by making a connection and trusting the incoming certificate, everything worked
  • Then I made a test connection with telegraf with security_policy set to Basic256Sha256 and security mode set to SignAndEncrypt. This produced an untrusted certificate in FactoryTalk Linx Gateway configuration UI. I trusted the new cert , as I did with the Matrikon connection, but when I tried the test the connection it failed with the same error and there was a new untrusted certificate in FT linx gateway.
    -Next I tried to hard code the path to the trusted certificate in the OPC configuration file and retest the connection, but now it’s saying I need a private key.
    Any advice or general direction would be greatly appreciated?

Hi @blharvey,
Welcome to the community :slight_smile:! So hopefully I can help break down a little about what’s happening here:

  1. Self-generated certificates: If you do not specify a certificate path in the Telegraf config then Telegraf will generate its own. So what you did was correct. However, there is a small snag that I have highlighted in a ticket. If the Telegraf service stops running on its next boot it will generate a new certificate to be trusted in the store. Not great I know but something we will be working on.
  2. Using your own certificates. The path you have tried next is the one we recommend as it’s far more secure than auto-generated certificates. You can usually generate one via SSL if you plan to self sign it. Something like:
openssl genrsa -out key.pem 2048
openssl req -x509 -days 365 -new -out cert.pem -key key.pem -config ssl.conf

Make sure to edit the conf file first
ssl.conf

[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = subject
req_extensions = req_ext
x509_extensions = req_ext
string_mask = utf8only
prompt = no

[ req_ext ]
basicConstraints = CA:FALSE
nsCertType = client, server
keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign
extendedKeyUsage= serverAuth, clientAuth
nsComment = "OpenSSL Generated Certificat"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
subjectAltName = URI:urn:example.org:FreeOpcUa:python-opcua,IP: 127.0.0.1 <CHANGE>

[ subject ]
countryName = DE
stateOrProvinceName = HE
localityName = HE
organizationName = <CHANGE>
commonName = <CHANGE>

This example was taken from Andreas: SecurePythonOpcUaClient/x509v3 at master · AndreasHeine/SecurePythonOpcUaClient · GitHub

2 Likes

Thanks for the help Jay, the solution worked perfectly.

No worries at all @blharvey. I am glad its up and running :slight_smile: