Skip to main content

Security policies and certificates

Goal

Enable secure endpoints. The Function-node API exposes two declarative knobs — securityPolicies and securityModes — on bootstrapServer({...}) from Creating an OPC UA server. Trust-store, server-certificate, and X.509 user-certificate management are handled by the palette itself; you do not configure them from a Function node.

No custom certificate manager

A per-Function-node certificate manager would split the runtime's trust state across multiple PKI directories. The palette therefore wires a single shared OPCUACertificateManager for all OPC UA client and server nodes. Trust decisions you make for a client (accepting a peer certificate) are immediately visible to your server, and vice versa. The folder paths in use are reported by the server-info Function.

securityPolicies and securityModes are part of the config-identity hash, so changing them in the boot Function and redeploying triggers an automatic teardown-then-rebuild. To force a rebuild without changing config (e.g. after editing the trust store on disk), pass forceRebuild: true on the next call.

Add security settings

const sterfive = global.get("sterfive");
if (!sterfive) {
    node.error("global.get('sterfive') is not set — is the Sterfive OPC UA palette loaded?");
} else {
    const { bootstrap, opcua } = sterfive;
    const { bootstrapServer } = bootstrap;

    const cfg = msg.config || {};

    const handle = await bootstrapServer({
        port: cfg.port ?? 4840,
        endpoint: cfg.endpoint || "node-red-server",
        nodesets: ["standard"],
        securityPolicies: [
            opcua.SecurityPolicy.None,
            opcua.SecurityPolicy.Basic256Sha256,
        ],
        securityModes: [
            opcua.MessageSecurityMode.None,
            opcua.MessageSecurityMode.Sign,
            opcua.MessageSecurityMode.SignAndEncrypt,
        ],
        onPopulate: (addressSpace, exposed) => {
            const ns = addressSpace.getOwnNamespace();
            exposed.myVariable = ns.addVariable({
                organizedBy: "RootFolder",
                nodeId: "s=MyDynamicVariable",
                browseName: "MyDynamicVariable",
                dataType: "Double",
                value: { dataType: opcua.DataType.Double, value: 0.0 },
            });
        },
    });

    flow.set("$myVariable", handle.exposed.myVariable);
    flow.set("$opcuaHandle", handle);

    node.send({ payload: `OPC UA Server running at ${handle.server.getEndpointUrl()}` });
}

The server advertises the cartesian product of allowed (policy, mode) pairs as separate endpoints. Clients pick one at session creation.

Trusting client certificates

The palette manages a single shared certificate store. The flow is the same for every server you boot:

  1. A client connects for the first time over a secure mode. Its certificate lands in the rejected folder.
  2. Move (or copy) the certificate from the rejected folder into the trusted folder.
  3. Subsequent connections from that client succeed.

The exact folder paths and the server's own certificate file path are reported by bootstrap.getServerInfo(handle.server).certificates. They include:

  • rejectedFolder — incoming unknown client certificates land here.
  • trustedFolder — move trusted client certificates here.
  • privateKey / publicKey — the server's own certificate pair (auto-generated on first boot).
  • userTrustedFolder / userRejectedFolder — same scheme for X.509-based user authentication, kept in a separate userPki directory.

The palette also installs the OPC UA push-certificate-management service on every server, so admin clients can rotate the certificate over the wire without restarting Node-RED.

Server certificate

On first boot the palette generates a self-signed server certificate into the shared store if none exists. That is fine for development; provision a CA-issued certificate for production by replacing the file at the certificates.publicKey / certificates.privateKey paths reported by getServerInfo (and re-deploying).

Notes

  • Certificates are required for Sign and SignAndEncrypt. None works without them.
  • Username/password authentication over MessageSecurityMode.None sends credentials in cleartext — combine with at least Sign.
  • Disabling SecurityPolicy.None is the strict-secure default, but it breaks browsers and naive clients that probe with no security first.

Next step

Continue with a structured namespace layout.

Further reading

For more tips and examples, see the Sterfive book node-opcua by example.