Log In
Home
08/13/2019
Offline
Hi,
The test 044.js from the Security Certificate Validation test cases in UACTT version 1.3.341.389 is described as follows: "Connect using an (trusted) issued certificate of a CA that is not trusted but available.". The expected result is a correctly established session.
I don't exactly understands what this test expects: what is a "CA that is not trusted but available" ?
I did not find in the OPC UA specification anything about Certificate Authorities and their management. Are their requirements other than tests about this topic? How is made available the "CA that is not trusted but available" ?
Many thanks,
Best regards,
Moderators
Moderators-Specifications
Moderators-Companion
Moderators-Implementation
Moderators-Certification
Moderators-ProductsServices
07/11/2017
Offline
Hi,
all the test cases in the Security Certificate Validation conformance unit are based on the Certificate Validation Steps table in section 6.1.3 Determining if a Certificate is Trusted. This test case in particular is also based on the following text snipped from this section:
Building a trust chain requires access to all Certificates in the chain. These Certificates may be stored locally or they may be provided with the application Certificate. Processing fails with Bad_SecurityChecksFailed if a CA Certificate cannot be found.
Lets recap what the idea is behind this and assume we do have the following CA structure:
Company wide root: rootCA
Facility wide which are issued by the company wide (rootCA): secondaryCA
application instance cert which are issued by the facility wide (secondaryCA): issuedCert.
Our goal is to accept all certificates from applications which do belong in our facility. That means every certificate issued by the secondaryCA needs to be trusted, but we do not want to trust certificates from any facility belonging to our company.
As the specification requires an OPC UA server to always check the whole certificate chain, the certificates from all CA levels are required to be available to the server. When there is only one trusted folder that would mean that the rootCA needs to be placed in the trusted folder. Now that has the bad effect, that all certificates that have been issued by the rootCA are automatically trusted. But in our scenario we do have a company wide rootCA and a secondaryCA which is only valid in a specific facility. So we actually would only like to trust all certificates issued by the secondaryCA. So that would require us to only copy the secondaryCA certificate in our trust list. But as the specification snipped provided above is requiring the server to validate all certificates in the chain, it wouldn't be able to validate the rootCA as it is not available to the server any more. After all this means that there needs to be a different location where those CA certificates which are required to validate the chain are being placed which is not in the trust list. In many servers this folder is being called "issuers".
I hope this helps,
Alexander Allmendinger
08/13/2019
Offline
Hi,
Thanks for your replay, and sorry for my late response. This helped a lot.
Thanks,
Regards,
12/15/2020
Offline
brameret@systerel.fr said
Hi,
The test 044.js from the Security Certificate Validation test cases in UACTT version 1.3.341.389 is described as follows: "Connect using an (trusted) issued certificate of a CA that is not trusted but available.". The expected result is a correctly established session.
I don't exactly understands what this test expects: what is a "CA that is not trusted but available" ?
I did not find in the OPC UA specification anything about Certificate Authorities and their management. Are their requirements other than tests about this topic? How is made available the "CA that is not trusted but available" ?
Many thanks,
Best regards,
Hi,
How did you solve this issue (044 test case), Can you please help me , even i am facing the same issue. Appreciate your quick response.
Moderators-Specifications
Moderators-Companion
Moderators-Implementation
Moderators-Certification
Moderators-COM
02/24/2014
Offline
Alex's answer covers your question? - the topic is describe in the following on-line specification sections:
Part 4: https://reference.opcfoundatio.....rt4/6.1.3/
Part 6: https://reference.opcfoundatio.....Part6/E.3/
Part 12: https://reference.opcfoundatio...../docs/F.1/
but in general you have trusted applications instance certificate, trusted Certificate Authorities (CA) and issuer CA. The test case in question deals with Issuer CA.
Paul Hunkar - DSInteroperability
1 Guest(s)
Usage Policy