CodeMeter and X.509 Certificates
Any conversation about security or authentication will, sooner or later, come down to the matter of certificates. Still, certificates are a foreign concept for many people, and their actual application and management in practice remains frequently too complicated and laborious.
Let us delve into the topic and explore what certificates do and how CodeMeter can be used to make their management and all other processes dealing with certificates easier and more comfortable for the user.
X.509 Certificates and PKI
Certificates are used to tie identities to public keys and to the related private keys. Certificates are used exclusively with public key algorithms such as RSA or ECC. In these algorithms, the key consists of a private key and a matching public key; therefore, they are always referred to as a key pair. Identity, in this case, means not just the identity of actual human beings. It can also refer to the identities of machines, devices, or roles. Whatever the case may be, for a certificate to link an identity with a key pair, it has to contain certain information about it, such as the device name or an IP address, and about the public key.
This establishes the link with the public key, but it is no proof that the identity in question indeed belongs to the owner of the key pair. A third entity is required to check and confirm that the identity goes with the key. This is done with a Public Key Infrastructure (PKI), consisting of a hierarchy of one or more anchors of trust, defined as Certificate Authorities (CAs). In order to obtain a certificate, a Certificate Signing Request (CSR) must be sent to a CA, signed with the private key going with the certificate to show the CA that the requesting entity actually holds the private key. The CA also needs to verify that the identity stated on the certificate matches the one of the requesting entity. In the case of individuals, this can be done by checking their ID cards or verifying their identity over the phone. Machines or other devices can have their identity verified either through a device owner – again an individual whose identity can be checked – or ideally through a set of unique device markers that can be tested automatically by the CA. Whichever route is employed, if the verification is successful, the CA signs the certificate to confirm the link between the identity and the key pair. With X.509 certificates, the entire edifice depends on the reliability of the CA, since a certificate can only be trusted if the issuing CA is trusted. This makes the CA the single point of failure.
Let us see how certificates can be used for authentication by looking at their use with the OPC UA protocol.
Safer Communication with OPC UA and CodeMeter
OPC UA is becoming an increasingly popular choice for communication between machines and devices in industry. This type of communication deserves particular safeguards, as it often contains sensitive data that needs to be protected from theft and tampering. OPC UA does so with the aid of X.509 certificates, which are used by the client and the server to authenticate themselves in OPC UA communication. If every device has a certificate and if all devices trust each other’s certificates, the TLS implementation included in the OPC UA server and client can be used to establish reliably secure communication.
The challenges lie in setting up a PKI by equipping each device with an OPC UA server or client with certificates or keys, integrated in the OPC UA processes. The situation is complicated again by the fact that the keys are currently stored without any added protection in each device’s file system. This is where CodeMeter comes in: CmDongles include a secure storage element that is the perfect place to keep keys. For these keys, hidden on CmDongles, to be accessible by OPC UA, the CodeMeter technology is integrated in the OPC UA server and client as illustrated on the previous page.
These capabilities are integrated by means of CodeMeter Certificate Vault, which provides the necessary interfaces with common TLS implemetations like OpenSSL. CodeMeter Certificate Vault itself uses the CodeMeter API to access keys on the CmDongle. In our illustration, Machine B wants to communicate with Machine A. The OPC UA stack makes this possible through its TLS implementation, OpenSSL in this case. OpenSSL is integrated into the server and client in a way that it does not use its own cryptographic algorithms. Instead, CodeMeter Certificate Vault comes into the equation and uses the hardware implementation of the required cryptographic algorithms, e.g. RSA on the CmDongle. The same happens on Machine A to facilitate authentication with Machine B.
This explains how keys can be used securely with OPC UA; but, how do the keys get onto the devices and where do the certificates come from?
Managing Keys and Certificates with CodeMeter License Central
Software developers and the operators of manufacturing plants need to have a central means to manage and allocate the available keys and certificates, ideally without any changes to their established processes.
Wibu-Systems offers CodeMeter License Central and its CodeMeter Certificate Vault extension as the perfect choice for them to consolidate their key and certificate management systems.
CodeMeter License Central already facilitates license management by integrating seamlessly with existing CRM, ERP, or e-commerce solutions, which guarantees support for established processes. Licenses can be activated either through a browser-based solution or through integrating dedicated interfaces in a given software product.
The CodeMeter Certificate Vault module is the CodeMeter License Central extension for creating, managing, and allocating keys and certificates. Certificates can be created either when an order is placed or when licenses are activated. The extension comes with the interfaces that external processes need to access with the data required for the new certificate. Our illustration reveals how CodeMeter License Central with the Certificate Vault extension manages keys and certificates. The operator first decides in CodeMeter License Central which devices are entitled to a certificate or key and creates an order in CodeMeter License Central to do so.
To get a new certificate, the entitled device would send a WibuCmRaC file and all additional information needed for the certificate to the CodeMeter Certificate Vault extension. If no RSA key already created externally is to be used, CodeMeter Certificate Vault can create a new key pair.
A defined interface with a client-specific implementation is then used for creating the actual certificate. The software developer or machine producer can choose how the certificate is created from a wide variety of options. Step 3 in our illustration shows this choice, ranging from self-signed certificates to external certification authorities.
Once the certificate is ready, it is packaged up by CodeMeter License Central in a WibuCmRaU file with the private key and sent back to the requesting machine (step 4). Additionally, the key is backed up in CodeMeter License Central. After the file has arrived, the certificate and key are stored on the CmDongle and can be used by CodeMeter Certificate Vault, e.g. to establish secure communication.
CodeMeter Certificate Vault brings the reliable security of CodeMeter Dongles to the world of storing and using keys and certificates.
With the CodeMeter Certificate Vault extension, existing processes can link up with CodeMeter License Central for a smooth and seamless creation and management of certificates.
KEYnote 39 – Edition Spring 2020