# Renewing SSL Certificates When working with OPC UA in Node-RED, managing SSL/TLS certificates is essential for secure client-server communication. If these certificates expire or are misconfigured, connections will fail with often cryptic errors. This guide walks through **how to renew certificates** for both the OPC UA **server** and **client**, including paths, formats, and best practices for avoiding common pitfalls. #### ๐Ÿ”„ Why Renew Certificates? 1. Certificates typically have a validity period (e.g., 1 year). 2. When expired, OPC UA clients and servers will reject connections. 3. Renewing involves generating a new certificate, replacing old files, and restarting Node-RED. ### ๐Ÿ›  Replacing the Server Certificate If you're using the `node-red-contrib-opcua-server` module, replace the server certificate as follows: ```bash ~\.node-red\node_modules\node-red-contrib-opcua-server\certificates ``` Place your renewed files here: * `public.pem` โ€” your public certificate * `private.pem` โ€” your private key โš ๏ธ **Make sure Node-RED has permission to read the new certificate files.** On Linux, you may need to run: ```bash chmod 600 private.pem chown node-red:node-red private.pem ``` {% hint style="info" %} If you're running Node-RED as a system service, permissions are especially important to avoid startup errors. {% endhint %} After replacement, **restart Node-RED** to apply the changes. *** ### ๐Ÿค Replacing the Client Certificate If Node-RED is acting as a **client** to connect to an OPC UA server (using nodes like `node-red-contrib-opcua-client`), it stores its identity certificate in: #### ๐Ÿ“ Client Certificate Location (Windows) ```bash %APPDATA%\node-opcua-default-nodejs\Config\PKI\own\ ``` Ensure that: * Files are in `.pem` format * File names match expectations (`public.pem`, `private.pem`) * Permissions allow Node-RED to read them #### ๐Ÿง Client Certificate Location (Linux) ```bash ~/.config/node-opcua-default-nodejs/Config/PKI/own/ ``` Ensure that: * Files are in `.pem` format * File names match expectations (`public.pem`, `private.pem`) * Permissions allow Node-RED to read them *** ### ๐Ÿงพ Required Certificate Extensions When generating your certificate, ensure the following **X.509 extensions** are set to avoid handshake errors: ```bash keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign extendedKeyUsage = clientAuth, serverAuth ``` Without these, clients or servers may reject the certificate with errors like โ€œcertificate not trustedโ€ or โ€œbad certificate usage.โ€ *** ### ๐Ÿท Common Name (CN) and Subject Alternative Name (SAN) The **Common Name (CN)** in your certificate must **exactly match** the hostname used in your OPC UA connection. {% hint style="info" %} Example: If your client connects to `opc.tcp://my-server.local:4840`, the CN should be `my-server.local`. {% endhint %} ### ๐Ÿ” Subject Alternative Name (SAN) Modern clients (including browsers and OPC UA stacks) often **require SAN fields**. You can include them using OpenSSL config: ``` subjectAltName = DNS:my-server.local, IP:192.168.1.100 ``` Without SANs, even a valid CN may be ignored by some clients. *** ### โš™๏ธ Generating New Certificates with OpenSSL Hereโ€™s an example `openssl.cnf` snippet you can use: ```ini [ req ] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [ req_distinguished_name ] CN = my-server.local [ v3_req ] keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyCertSign extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = my-server.local IP.1 = 192.168.1.100 ``` And the command to generate: ```bash openssl req -x509 -nodes -days 365 \ -newkey rsa:2048 \ -keyout private.pem \ -out public.pem \ -config openssl.cnf ``` *** ### โ— Troubleshooting Tips If you're running into issues even after replacing the certificates, here are common things to check: * โœ… Make sure the CN and SAN **match the endpoint host** * โœ… Ensure the files are `.pem` format, not `.crt` or `.der` * โœ… Verify certificate is not expired: ``` openssl x509 -in public.pem -noout -enddate ``` * โœ… Check that the certificate has the correct `keyUsage` and `extendedKeyUsage` fields * โœ… Ensure **correct file permissions** so Node-RED can access the certs * โœ… **Include the full certificate chain** if using a CA-signed certificate (some clients require intermediate + root certs) ### ๐Ÿ“Š Summary Table | Use Case | File Path (Windows) | Files to Replace | | ------------- | --------------------------------------------------------------------- | --------------------------- | | OPC UA Server | `~\.node-red\node_modules\node-red-contrib-opcua-server\certificates` | `public.pem`, `private.pem` | | OPC UA Client | `%APPDATA%\node-opcua-default-nodejs\Config\PKI\own\{cert, private}` | `public.pem`, `private.pem` | *** ### ๐Ÿค– Automating Certificate Renewal (Optional) If you manage multiple environments or frequent testing, consider automating the renewal process: Example Linux script could: 1. Generate a new certificate via OpenSSL 2. Copy it to the appropriate folder(s) 3. Restart Node-RED (`systemctl restart nodered.service`) > โš ๏ธ Always validate certificates in a test setup before deploying to production. *** #### ๐Ÿ™ Community Contribution Special thanks to **Jeff Cooper**, who shared additional paths and practical fixes that helped improve this guide.