the TLS implementation included in the OPC
UA server and client can be used to establish
reliably secure communication.
The challenges lie in setting up a PKI by equip-
ping each device with an OPC UA server or
client with certificates or keys, integrated in the
OPC UA processes. The situation is complicated
again by the fact that the keys are currently
stored without any added protection in each
device’s file system. This is where CodeMeter
comes in: CmDongles include a secure storage
element that is the perfect place to keep keys.
For these keys, hidden on CmDongles, to be
accessible by OPC UA, the CodeMeter technol-
ogy is integrated in the OPC UA server and
client as illustrated on the previous page.
These capabilities are integrated by means of
CodeMeter CertificateVault, which provides
the necessary interfaces with common TLS
implemeta-tions like OpenSSL. CodeMeter
Certificate Vault itself uses the CodeMeter API
to access keys on the CmDongle. In our illus-
tration, Machine B wants to communicate with
Machine A. The OPC UA stack makes this possi-
ble through its TLS implementation, OpenSSL in
this case. OpenSSL is integrated into the server
and client in a way that it does not use its own
cryptographic algorithms. Instead, CodeMeter
Certificate Vault comes into the equation and
uses the hardware implementation of the
required cryptographic algorithms, e.g. RSA on
the CmDongle. The same happens on Machine
A to facilitate authentication with Machine B.
This explains how keys can be used securely
with OPC UA; but, how do the keys get onto
the devices and where do the certificates
come from?
Managing Keys and Certificates
with CodeMeter License Central
Software developers and the operators of
manufacturing plants need to have a central
means to manage and allocate the available
keys and certificates, ideally without any
changes to their established processes.
Wibu-Systems offers CodeMeter License Central
and its CodeMeter Certificate Vault extension as
the perfect choice for them to consolidate their
key and certificate management systems.
CodeMeter License Central already facilitates
license management by integrating seamless-
ly with existing CRM, ERP, or e-commerce so-
lutions, which guarantees support for estab-
lished processes. Licenses can be activated
either through a browser-based solution or
through integrating
dedicated interfaces
in a given software
product.
The CodeMeter Cer-
tificate Vault mod-
ule is the CodeMeter
License Central ex-
tension for creating,
managing, and allo-
cating keys and cer-
tificates. Certificates
can be created ei-
ther when an order
is placed or when li-
censes are activated.
The extension comes
with the interfaces
that external process-
es need to access
with the data requi-
red for the new cer-
tificate.
License
Central
1
Authorizes CmDongle
IDs of machine A and
machine C
2
Sends CmDongle ID
of machine A
3
CodeMeter
Certifi cate Vault
Extension
Creates
Certifi cate(s)
Certificate Authority
2
Sends CmDongle ID
of machine C
4
Delivers encrypted WibuCmRaC fi le, which includes
Private Key(s) and Certifi cate(s)
Machine A
CodeMeter
CodeMeter
Certificate
Vault
Our illustration re-
veals how CodeMeter License Central with the
Certificate Vault extension manages keys and
certificates. The operator first decides in
CodeMeter License Central which devices are
entitled to a certificate or key and creates an
order in CodeMeter License Central to do so.
To get a new certificate, the entitled device
would send a WibuCmRaC file and all addi-
tional information needed for the certificate to
the CodeMeter Certificate Vault extension. If no
RSA key already created externally is to be used,
CodeMeter Certificate Vault can create a new
key pair.
Machine B
CodeMeter
CodeMeter
Certificate
Vault
Machine C
CodeMeter
CodeMeter
Certificate
Vault
Conclusion
CodeMeter Certificate Vault brings the reliable
security of CodeMeter Dongles to the world of
storing and using keys and certificates.
With the CodeMeter Certificate Vault extension,
existing processes can link up with CodeMeter
License Central for a smooth and seamless
creation and management of certificates.
A defined interface with a client-specific imple-
mentation is then used for creating the actual
certificate. The software developer or machine
producer can choose how the certificate is
created from a wide variety of options. Step
3 in our illustration shows this choice, ranging
from self-signed certificates to external certifi-
cation authorities.
Once the certificate is ready, it is packaged up
by CodeMeter License Central in a WibuCm-
RaU file with the private key and sent back to
the requesting machine (step 4). Additionally,
the key is backed up in CodeMeter License
Central. After the file has arrived, the certifi-
cate and key are stored on the CmDongle and
can be used by CodeMeter Certificate Vault,
e.g. to establish secure communication.
5