Security Certificate Validation - 002.js test case|OPC Certification and Interoperability Testing|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Security Certificate Validation - 002.js test case
Avatar
Vinod Pydi
Member
Members
Forum Posts: 16
Member Since:
12/15/2020
sp_UserOfflineSmall Offline
1
07/27/2022 - 05:06
sp_Permalink sp_Print

Hi,

I am running CTT for Security Certificate validation - 002.js and 044.js test cases is failing - Giving an error BadSecurityCheckFailed status code

002 -Connect using a client certificate signed by a not trusted but known CA where there is no revocation list available.(

ctt_ca1I_appT

)

044 - Connect using an (trusted) issued certificate of a CA that is not trusted but available.(

ctt_ca1TC_ca2I_appT

)

 

Can you please help us in which folders these certificates will be moved.

I am using the below folder structure and config file:

<!-- Where the application instance certificate is stored (MachineDefault) -->
<ApplicationCertificate>
<StoreType>Directory</StoreType>
<StorePath>%CommonApplicationData%\XXX\XXX\pki\own</StorePath>
<SubjectName>CN=XXX, C=IN, S=KA, O=XXXX, DC=localhost</SubjectName>
</ApplicationCertificate>

<!--Where the trust list is stored (UA Applications)-->
<TrustedPeerCertificates>
<StoreType>Directory</StoreType>
<StorePath>%CommonApplicationData%\XXX\XXX\pki\trusted</StorePath>
</TrustedPeerCertificates>

<!-- Where the issuer certificate are stored (certificate authorities) -->
<TrustedIssuerCertificates>
<StoreType>Directory</StoreType>
<StorePath>%CommonApplicationData%\XXX\XXX\pki\issuers</StorePath>
</TrustedIssuerCertificates>

<!-- The directory used to store invalid certficates for later review by the administrator. -->
<RejectedCertificateStore>
<StoreType>Directory</StoreType>
<StorePath>%CommonApplicationData%\XXX\XXX\pki
ejected</StorePath>
</RejectedCertificateStore>

<!--<AutoAcceptUntrustedCertificates>true</AutoAcceptUntrustedCertificates>-->
<!-- WARNING: SHA1 signed certficates are by default rejected and should be phased out.
The setting below to allow them is only required for UACTT (1.02.336.244) which uses SHA-1 signed certs. -->
<RejectUnknownRevocationStatus>true</RejectUnknownRevocationStatus>
<RejectSHA1SignedCertificates>false</RejectSHA1SignedCertificates>
<MinimumCertificateKeySize>2048</MinimumCertificateKeySize>
<AddAppCertToTrustedStore>true</AddAppCertToTrustedStore>
<SendCertificateChain>true</SendCertificateChain>

 

Regards,

Vinod

Avatar
Alexander Allmendinger
Germany
Moderator
Members

Moderators

Moderators-Specifications

Moderators-Companion

Moderators-Implementation

Moderators-Certification

Moderators-ProductsServices
Forum Posts: 67
Member Since:
07/11/2017
sp_UserOfflineSmall Offline
2
08/06/2022 - 13:25
sp_Permalink sp_Print

Hi Vinod,

as much as I know you sorted it out and you were able to fix the issue. Nevertheless, for all others I wanted to provide the correct set of flags for their reference:

    <RejectSHA1SignedCertificates>true</RejectSHA1SignedCertificates>
    <RejectUnknownRevocationStatus>true</RejectUnknownRevocationStatus>
    <MinimumCertificateKeySize>2048</MinimumCertificateKeySize>
    <AddAppCertToTrustedStore>false</AddAppCertToTrustedStore>
    <SendCertificateChain>false</SendCertificateChain>

With those flags the Console Reference Server from the .NET Library should pass all certificate validation tests.

Regards,
Alexander Allmendinger

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 25
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1381
Posts: 4680