S E C U R I T Y
CodeMeter and X.509 Certificates
Any conversation about security or authentication will, sooner or later, come down to the matter of certificates. Still, certificates
are a foreign concept for many people, and their actual application and management in practice remains frequently too
complicated and laborious.
Let us delve into the topic and explore what
certificates do and how CodeMeter can be
used to make their management and all other
processes dealing with certificates easier and
more comfortable for the user.
X.509 Certificates and PKI
Certificates are used to tie identities to
public keys and to the related private keys.
Certificates are used exclusively with public
key algorithms such as RSA or ECC. In these
algorithms, the key consists of a private key
and a matching public key; therefore, they
are always referred to as a key pair. Identity,
in this case, means not just the identity of
actual human beings. It can also refer to
the identities of machines, devices, or roles.
Whatever the case may be, for a certificate
to link an identity with a key pair, it has to
contain certain information about it, such as
the device name or an IP address, and about
the public key.
This establishes the link with the public key,
but it is no proof that the identity in question
indeed belongs to the owner of the key pair.
A third entity is required to check and confirm
that the identity goes with the key. This is
done with a Public Key Infrastructure (PKI),
consisting of a hierarchy of one or more
anchors of trust, defined as Certificate Au-
thorities (CAs). In order to obtain a certificate,
a Certificate Signing Request (CSR) must be
4
sent to a CA, signed with the private key
Safer Communication with OPC
going with the certificate to show the CA
UA and CodeMeter
OPC UA is becoming an increasingly popular
that the requesting entity actually holds the
choice for communication between machines
private key. The CA also needs to verify that
and devices in industry. This type of commu-
the identity stated on the certificate matches
nication deserves particular safeguards, as it
the one of the requesting entity. In the case
often contains sensitive data that needs to
of individuals, this can be done by checking
be protected from theft and tampering. OPC
their ID cards or verifying their identity over
UA does so with the aid of X.509 certificates,
the phone. Machines or other devices can
which are used by the client and the server
have their identity verified either through a
device owner” – again an individual whose
to authenticate themselves in OPC UA com-
identity can be checked – or ideally through
munication. If every device has a certificate
a set of unique device markers that can be
and if all devices trust each other’s certificates,
tested automatically by the
CA. Whichever route is
Machine A
Machine B
employed, if the verification
is successful, the CA signs
OPC UA
OPC UA
OPC UA
OPC UA
Client
Server
Client
Server
the certificate to confirm
the link between the iden-
OpenSSL
OpenSSL
tity and the key pair. With
Secure OPC UA
X.509 certificates, the en-
Connection using
CodeMeter Certificate Vault
CodeMeter Certificate Vault
CodeMeter
tire edifice depends on the
reliability of the CA, since
CodeMeter Embedded
CodeMeter Embedded
a certificate can only be
trusted if the issuing CA is
trusted. This makes the CA
the single point of failure.
Let us see how certificates
can be used for authentica-
tion by looking at their use
with the OPC UA protocol.
Machine A,
OPC UA Server
Private Key
Certifi cate
Machine A,
OPC UA Client
Private Key
Certifi cate
Machine B,
OPC UA Server
Private Key
Certifi cate
Machine B,
OPC UA Client
Private Key
Certifi cate