How should Install a certificate created by the OPC UA Client? | OPC Certification and Interoperability Testing | Forum

Lost password?

Home Forum OPC Certification and Interoperabil…How should Install a certificate cr…

How should Install a certificate created by the OPC UA Client?

Michael Meirovitz

Member

Members

Forum Posts: 9

Member Since:
02/24/2014

Offline

12/02/2020 - 01:10

Hi,

Our OPC client creates a certificate file. How should Install a certificate created by the OPC UA Client?

When I try to connect to the PROSYS UA simulation server I am getting this error (in Red color):

01/12/2020 19:05:02.424 SECURE CHANNEL CREATED [.NetStandard ClientChannel UA-TCP 5.6.1] [ID=23] Connected To: opc.tcp://dell-i7mike:53530/OPCUA/SimulationServer [None/None/Binary]
01/12/2020 19:05:02.495 SECURE CHANNEL CREATED [.NetStandard ClientChannel UA-TCP 5.6.1] [ID=24] Connected To: opc.tcp://dell-i7mike:53530/OPCUA/SimulationServer [SignAndEncrypt/Basic256/Binary] Client Certificate: [CN=OPCDA.NET.UA, DC=DELL-I7MIKE] [A5EEDDE50B2A12F36B28319CC034117B9E4AA793] Server Certificate: [DC=Dell-i7mike, O=Prosys OPC, CN=SimulationServer@Dell-i7mike] [71B2B9BBB2B8502371C19884E4437C5EC9CA17C0]
01/12/2020 19:05:02.503 Could not create a Session with the UA Server. BadCertificateUriInvalid BadCertificateUriInvalid 'BadCertificateUriInvalid'

Thank you.

Michael

Randy Armstrong

Admin

Forum Posts: 1564

Member Since:
05/30/2017

Offline

12/02/2020 - 08:58

BadCertificateUriInvalid means a server configuration issue.

There is a requirement that the information provided by the Server in its EndpointDescriptions must match the URI in the SubjectAltName of the Certificate.

Similarly, the Client must provide a URI that matches the SubjectAltName of its Certificate when it calls CreateSession.

Michael Meirovitz

Member

Members

Forum Posts: 9

Member Since:
02/24/2014

Offline

12/03/2020 - 02:50

Hi Randy,

Thank you for your answer. The SubjectAltName in the certificate is:

"URL=urn:localhost:Advosol Inc.:OPCDA.NET.UA, DNS Name=DELL-I7MIKE"

The application URI in the client config file is: "urn:localhost:Advosol Inc.:OPCDA.NET.UA"

The application name in the client config file is: "OPCDA.NET.UA"

Do you see any problem?

Thank you.

Michael

Randy Armstrong

Admin

Forum Posts: 1564

Member Since:
05/30/2017

Offline

12/03/2020 - 06:45

localhost is an invalid URI and needs to be changed to the actual hostname.

the SDK should be doing this automatically, however, if it is doing it for client config without changing the certificate then that would explain the error. At minimum the client should be logging the mismatch at load. if it does not you need report a bug to the software developer.

Michael Meirovitz

Member

Members

Forum Posts: 9

Member Since:
02/24/2014

Offline

12/04/2020 - 00:38

Hi Randy,

Thank you. This was the issue. Another question. Now the OPC UA client displays an error:

04/12/2020 09:38:28.991 SECURE CHANNEL CREATED [.NetStandard ClientChannel UA-TCP 5.6.1] [ID=4] Connected To: opc.tcp://dev2017:53530/OPCUA/SimulationServer [None/None/Binary]
04/12/2020 09:38:29.021 Certificate 'DC=DEV2017, O=Prosys OPC, CN=SimulationServer@DEV2017' rejected. Reason=BadCertificateUntrusted

DEV2017 is the OPC server computer. How should the client install the server's certificate on the client computer?

Thank you!

Michael

Randy Armstrong

Admin

Forum Posts: 1564

Member Since:
05/30/2017

Offline

12/04/2020 - 09:06

The Server documentation needs to provide instructions on updating its trustlist.

In most cases, it will be a directory on disk where the client certificate needs to be stored.

In other cases, a server specific configuration application will need to be used.

In the long term, this problem will be solved by a GDS which can remotely update servers.

Forum Timezone: America/Phoenix

Most Users Ever Online: 510

Currently Online:

Guest(s) 24

Currently Browsing this Page:
1 Guest(s)