Our OPC client creates a certificate file. How should Install a certificate created by the OPC UA Client?
When I try to connect to the PROSYS UA simulation server I am getting this error (in Red color):
01/12/2020 19:05:02.424 SECURE CHANNEL CREATED [.NetStandard ClientChannel UA-TCP 5.6.1] [ID=23] Connected To: opc.tcp://dell-i7mike:53530/OPCUA/SimulationServer [None/None/Binary]
01/12/2020 19:05:02.495 SECURE CHANNEL CREATED [.NetStandard ClientChannel UA-TCP 5.6.1] [ID=24] Connected To: opc.tcp://dell-i7mike:53530/OPCUA/SimulationServer [SignAndEncrypt/Basic256/Binary] Client Certificate: [CN=OPCDA.NET.UA, DC=DELL-I7MIKE] [A5EEDDE50B2A12F36B28319CC034117B9E4AA793] Server Certificate: [DC=Dell-i7mike, O=Prosys OPC, CN=SimulationServer@Dell-i7mike] [71B2B9BBB2B8502371C19884E4437C5EC9CA17C0]
01/12/2020 19:05:02.503 Could not create a Session with the UA Server. BadCertificateUriInvalid BadCertificateUriInvalid 'BadCertificateUriInvalid'
BadCertificateUriInvalid means a server configuration issue.
There is a requirement that the information provided by the Server in its EndpointDescriptions must match the URI in the SubjectAltName of the Certificate.
Similarly, the Client must provide a URI that matches the SubjectAltName of its Certificate when it calls CreateSession.
Thank you for your answer. The SubjectAltName in the certificate is:
"URL=urn:localhost:Advosol Inc.:OPCDA.NET.UA, DNS Name=DELL-I7MIKE"
The application URI in the client config file is: "urn:localhost:Advosol Inc.:OPCDA.NET.UA"
The application name in the client config file is: "OPCDA.NET.UA"
Do you see any problem?
localhost is an invalid URI and needs to be changed to the actual hostname.
the SDK should be doing this automatically, however, if it is doing it for client config without changing the certificate then that would explain the error. At minimum the client should be logging the mismatch at load. if it does not you need report a bug to the software developer.
Thank you. This was the issue. Another question. Now the OPC UA client displays an error:
04/12/2020 09:38:28.991 SECURE CHANNEL CREATED [.NetStandard ClientChannel UA-TCP 5.6.1] [ID=4] Connected To: opc.tcp://dev2017:53530/OPCUA/SimulationServer [None/None/Binary]
04/12/2020 09:38:29.021 Certificate 'DC=DEV2017, O=Prosys OPC, CN=SimulationServer@DEV2017' rejected. Reason=BadCertificateUntrusted
DEV2017 is the OPC server computer. How should the client install the server's certificate on the client computer?
The Server documentation needs to provide instructions on updating its trustlist.
In most cases, it will be a directory on disk where the client certificate needs to be stored.
In other cases, a server specific configuration application will need to be used.
In the long term, this problem will be solved by a GDS which can remotely update servers.