This is regarding test cases from discovery services related to getEndpoints . Test cases asks for server certificate validation ,In our client we are not validating the server's certificate . Is it mandatory for certification to validate ?
The unified automation documentation says "To establish a trust relation between an OPC UA client and server, the self-signed certificates of the communication partner are installed to the trust list. The client certificate is installed to the trust list of the server and the server certificate to the trust list of the client."
In our client we not have UI like other client's to trust the certificate . What do you suggest ?
|Err-014||Lab||GetEndpoints||Certificate is valid but not trusted by the client.||Client is able to identify the un-trusted certificate. Client may elect to trust the certificate based on its configuration or at the request of the end-user.|
|Err-017||Lab||GetEndpoints Unavailable||Certificate is valid but does not support required keyUsage (parameter within the serverCertificate).||Client reports that an invalid certificate has been received. Client discards the endpoint record so that it will not be available for use with establishing a session.|
|Err-018||Lab||GetEndpoints Unavailable||Certificate is valid but does not support required ExtendedKeyUsage (parameter within the serverCertificate).||Client reports that an invalid certificate has been received. Client discards the endpoint record so that it will not be available for use with establishing a session.|
|Err-019||Lab||GetEndpoints Unavailable||Certificate hostnames list is empty.||Client is able to identify the bad certificate. Client refuses the connection unless overruled by the end-user or based on the configuration.|
|Err-020||Lab||GetEndpoints Unavailable||Certificate is invalid, the hash does not compute (certificate has been modified).||Client reports that an invalid certificate has been received. Client discards the endpoint record so that it will not be available for use with establishing a session.|
not validating the server certificate being returned is an security risk and is not allows for certified products.
There are different options to do the certificate handling in product. When the client does not have an UI which can be utilized for certificate management you can either accomplish it in an intuitive way with a separate certificate management tool or you describe the PKI folder structures in your documentation and let users of you product do the configuration via the Windows Explorer.
In any case certificate validation is required and should only an administrator should be able to overwrite certain checks for a certificate or server.
In our client user don't have choice to select endpoint ,user provide endpoint to connect. We think that validating server certificates for all endpoints at discoveryEndpoint response not making sense to our client instead should validate at createSessionReponse
In createsessionResponse we can do all mandatory field validation as we get certificate for endpoint which user has provided.
Kindly suggest If we can make validate server certificate at discovery test cases not applicable .
You have to validate the server certificate during the secure channel establishment. This is not optional.
So the validation always happens before sending the CreateSession request.
Most clients choose to validate the certificate after choosing and Endpoint returned from GetEndpoints.
We have handled CertificateExpired and CertificateNotyetValid scenario but we could not validate trusted/untrusted scenario. Will it be fine for minimal certification if we just log message saying certificate is not trusted ? As test case says by minimum client should log message .
If a server is not trusted (determined by the Server application instance certificate needed for the provided endpoint), then a client shall not attempt to make a secure connection to it on that endpoint. It can connect using no security also an Administrator can decided to trust the Server (add it to a trust list, even if just temporarily). If a client tries to connect to a Server via an un-trusted endpoint, the client is provided information to the server about itself , knowing that this information may be use later for an attack against the client. This is poor security behavior for the client.
The client shall validate that the Server owns the private key associated with the connection. It shall log any error and problems.
Paul Hunkar - DSInteroperability