Details on UACTT test about certificate verification|OPC Certification and Interoperability Testing|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Details on UACTT test about certificate verification
Avatar
Pierre-Antoine BRAMERET
Member
Members
Forum Posts: 3
Member Since:
08/13/2019
sp_UserOfflineSmall Offline
1
09/27/2019 - 08:56
sp_Permalink sp_Print

Hi,

 

The test 044.js from the Security Certificate Validation test cases in UACTT version 1.3.341.389 is described as follows: “Connect using an (trusted) issued certificate of a CA that is not trusted but available.”. The expected result is a correctly established session.

I don’t exactly understands what this test expects: what is a “CA that is not trusted but available” ?

I did not find in the OPC UA specification anything about Certificate Authorities and their management. Are their requirements other than tests about this topic? How is made available the “CA that is not trusted but available” ?

 

Many thanks,

Best regards,

Avatar
Alexander Allmendinger
Germany
Moderator
Members

Moderators

Moderators-Specifications

Moderators-Companion

Moderators-Implementation

Moderators-Certification

Moderators-ProductsServices
Forum Posts: 67
Member Since:
07/11/2017
sp_UserOfflineSmall Offline
2
09/28/2019 - 07:29
sp_Permalink sp_Print

Hi,

all the test cases in the Security Certificate Validation conformance unit are based on the Certificate Validation Steps table in section 6.1.3 Determining if a Certificate is Trusted. This test case in particular is also based on the following text snipped from this section:

Building a trust chain requires access to all Certificates in the chain. These Certificates may be stored locally or they may be provided with the application Certificate. Processing fails with Bad_SecurityChecksFailed if a CA Certificate cannot be found.

Lets recap what the idea is behind this and assume we do have the following CA structure:
Company wide root: rootCA
Facility wide which are issued by the company wide (rootCA): secondaryCA
application instance cert which are issued by the facility wide (secondaryCA): issuedCert.

Our goal is to accept all certificates from applications which do belong in our facility. That means every certificate issued by the secondaryCA needs to be trusted, but we do not want to trust certificates from any facility belonging to our company.

As the specification requires an OPC UA server to always check the whole certificate chain, the certificates from all CA levels are required to be available to the server. When there is only one trusted folder that would mean that the rootCA needs to be placed in the trusted folder. Now that has the bad effect, that all certificates that have been issued by the rootCA are automatically trusted. But in our scenario we do have a company wide rootCA and a secondaryCA which is only valid in a specific facility. So we actually would only like to trust all certificates issued by the secondaryCA. So that would require us to only copy the secondaryCA certificate in our trust list. But as the specification snipped provided above is requiring the server to validate all certificates in the chain, it wouldn’t be able to validate the rootCA as it is not available to the server any more. After all this means that there needs to be a different location where those CA certificates which are required to validate the chain are being placed which is not in the trust list. In many servers this folder is being called “issuers”.

I hope this helps,
Alexander Allmendinger

Avatar
Pierre-Antoine BRAMERET
Member
Members
Forum Posts: 3
Member Since:
08/13/2019
sp_UserOfflineSmall Offline
3
10/17/2019 - 10:01
sp_Permalink sp_Print

Hi,

Thanks for your replay, and sorry for my late response. This helped a lot.

Thanks,
Regards,

Avatar
Vinod Pydi
Member
Members
Forum Posts: 16
Member Since:
12/15/2020
sp_UserOfflineSmall Offline
4
07/27/2022 - 05:14
sp_Permalink sp_Print

brameret@systerel.fr said
Hi,

 

The test 044.js from the Security Certificate Validation test cases in UACTT version 1.3.341.389 is described as follows: “Connect using an (trusted) issued certificate of a CA that is not trusted but available.”. The expected result is a correctly established session.

I don’t exactly understands what this test expects: what is a “CA that is not trusted but available” ?

I did not find in the OPC UA specification anything about Certificate Authorities and their management. Are their requirements other than tests about this topic? How is made available the “CA that is not trusted but available” ?

 

Many thanks,

Best regards,

  

Hi,

How did you solve this issue (044 test case), Can you please help me , even i am facing the same issue. Appreciate your quick response.

Avatar
Paul Hunkar
Cleveland, Ohio, USA
Moderator
Members

Moderators-Specifications

Moderators-Companion

Moderators-Implementation

Moderators-Certification

Moderators-COM
Forum Posts: 112
Member Since:
02/24/2014
sp_UserOfflineSmall Offline
5
09/17/2022 - 08:46
sp_Permalink sp_Print

Alex’s answer covers your question?  – the topic is describe in the following on-line specification sections:

Part 4: https://reference.opcfoundatio…..rt4/6.1.3/

Part 6: https://reference.opcfoundatio…..Part6/E.3/

Part 12: https://reference.opcfoundatio…../docs/F.1/

but in general you have trusted applications instance certificate, trusted Certificate Authorities (CA) and issuer CA.  The test case in question deals with Issuer CA.

Paul Hunkar - DSInteroperability

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 10
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1446
Posts: 4890