How should Install a certificate created by the OPC UA Client? | OPC Certification and Interoperability Testing | Forum

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
How should Install a certificate created by the OPC UA Client?
Avatar
Michael Meirovitz
Member
Members
Forum Posts: 8
Member Since:
02/24/2014
sp_UserOfflineSmall Offline
1
12/02/2020 - 01:10
sp_Permalink sp_Print

Hi,

Our OPC client creates a certificate file. How should Install a certificate created by the OPC UA Client?

When I try to connect to the PROSYS UA simulation server I am getting this error (in Red color):

01/12/2020 19:05:02.424 SECURE CHANNEL CREATED [.NetStandard ClientChannel UA-TCP 5.6.1] [ID=23] Connected To: opc.tcp://dell-i7mike:53530/OPCUA/SimulationServer [None/None/Binary]
01/12/2020 19:05:02.495 SECURE CHANNEL CREATED [.NetStandard ClientChannel UA-TCP 5.6.1] [ID=24] Connected To: opc.tcp://dell-i7mike:53530/OPCUA/SimulationServer [SignAndEncrypt/Basic256/Binary] Client Certificate: [CN=OPCDA.NET.UA, DC=DELL-I7MIKE] [A5EEDDE50B2A12F36B28319CC034117B9E4AA793] Server Certificate: [DC=Dell-i7mike, O=Prosys OPC, CN=SimulationServer@Dell-i7mike] [71B2B9BBB2B8502371C19884E4437C5EC9CA17C0]
01/12/2020 19:05:02.503 Could not create a Session with the UA Server. BadCertificateUriInvalid BadCertificateUriInvalid 'BadCertificateUriInvalid'

 Thank you.

Michael

Avatar
Randy Armstrong
Admin
Forum Posts: 532
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
12/02/2020 - 08:58
sp_Permalink sp_Print

BadCertificateUriInvalid means a server configuration issue.

There is a requirement that the information provided by the Server in its EndpointDescriptions must match the URI in the SubjectAltName of the Certificate.

Similarly, the Client must provide a URI that matches the SubjectAltName of its Certificate when it calls CreateSession.

Avatar
Michael Meirovitz
Member
Members
Forum Posts: 8
Member Since:
02/24/2014
sp_UserOfflineSmall Offline
3
12/03/2020 - 02:50
sp_Permalink sp_Print

Hi Randy,

Thank you for your answer. The SubjectAltName  in the certificate is:

"URL=urn:localhost:Advosol Inc.:OPCDA.NET.UA, DNS Name=DELL-I7MIKE"

The application URI in the client config file is: "urn:localhost:Advosol Inc.:OPCDA.NET.UA"

The application name in the client config file is: "OPCDA.NET.UA"

Do you see any problem?

Thank you.

Michael

Avatar
Randy Armstrong
Admin
Forum Posts: 532
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
12/03/2020 - 06:45
sp_Permalink sp_Print

localhost is an invalid URI and needs to be changed to the actual hostname.

the SDK should be doing this automatically, however, if it is doing it for client config without changing the certificate then that would explain the error. At minimum the client should be logging the mismatch at load. if it does not you need report a bug to the software developer.

Avatar
Michael Meirovitz
Member
Members
Forum Posts: 8
Member Since:
02/24/2014
sp_UserOfflineSmall Offline
5
12/04/2020 - 00:38
sp_Permalink sp_Print

Hi Randy,

Thank you. This was the issue. Another question. Now the OPC UA client displays an error:

04/12/2020 09:38:28.991 SECURE CHANNEL CREATED [.NetStandard ClientChannel UA-TCP 5.6.1] [ID=4] Connected To: opc.tcp://dev2017:53530/OPCUA/SimulationServer [None/None/Binary]
04/12/2020 09:38:29.021 Certificate 'DC=DEV2017, O=Prosys OPC, CN=SimulationServer@DEV2017' rejected. Reason=BadCertificateUntrusted

DEV2017 is the OPC server computer. How should the client install the server's certificate on the client computer?

 

Thank you!

Michael

Avatar
Randy Armstrong
Admin
Forum Posts: 532
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
6
12/04/2020 - 09:06
sp_Permalink sp_Print sp_EditHistory

The Server documentation needs to provide instructions on updating its trustlist.

In most cases, it will be a directory on disk where the client certificate needs to be stored.

In other cases, a server specific configuration application will need to be used.

In the long term, this problem will be solved by a GDS which can remotely update servers.

Forum Timezone: America/Phoenix
Most Users Ever Online: 202
Currently Online: Mircea-Stefan Radu
Guest(s) 23
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 9
Topics: 796
Posts: 2359