04/14/2020
We are developing an OPC UA server based on the .NET Standard sample server, and I have some questions about the certificate folders that are specified in the configuration file. I’m having some trouble understanding what each is intended for and when they are required to be used.
What is the difference between these folder sets:
trusted/issuer
trustedUser/issuerUser
trustedHttps/issuerHttps
From reading the documentation it isn’t really clear to me when you’d use each of these folders. Are the “User” folders only intended for UserAuthentication, whereas the “Https” folders are only intended for transport encryption?
Then what about the base “trusted” and “issuer”? How do they differ from the others?
05/30/2017
See: https://reference.opcfoundatio…../docs/F.1/
The validation of certificates follows the chain and looks in both the trusted and issuers folders for CAs in the chain.
If the certificate is validate the app then checks for trust by verifying that at least one certificate in the chain is in the trusted folder.
The dual folder approach allows admins to have complete control over who has access to a UA application.
04/14/2020
Randy, thank you for your reply. That does help me understand the distinction between “trusted” and “issuer”. I had more questions related to certificate folders, authentication and encryption.
1) What about the “*User” and “*Https” folders? When do those get used? The link to the spec you provided does not refer to these folders, and I haven’t been able to figure out what they are used for.
2) How is Https transport encryption set up? What needs to be configured in the config file on the server, where do https certificates get stored, and what needs to be provided on the client side, if anything?
3) For User Authentication, is the “trustedUser” folder supposed to work? I find that establishing a session with a UserIdentity containing a certificate only works if the certificate is in the server’s “trusted” folder, but doesn’t work when in the “trustedUser” folder.
Thanks again for taking the time to respond.
05/30/2017
1) The “trusted” and “issuer” folders in the appendix are collectively called a “TrustList” (whenever you see that term in the spec remember it means multiple lists that are used to validate and determine trust). A server can have multiple TrustLists for different purposes. For example, a server with two NICs could have one TrustList for each NIC. The HTTPS TrustList is used for TLS. The User TrustList is used to validate Certificates provided as UserIdentityTokens.
2) Configuring HTTPS depends on your OS and development environment. In .NET you can add a ServicePoint handler to manually determine trust for certificates that are not trusted by the OS. Of course, this means you may have a big trust hole because the OS couldl accept some certificates automatically which is why OPC UA does not rely on TLS for security.
3) The logic for authenticating user tokens depends on the server implementation. With the .NET Server there is an example here: https://github.com/OPCFoundati…..entication
04/14/2020
Randy, thanks again for replying. There is still an open question though about the folders that have “https” and “user” in their names, the ones that are referred to in the github readme on certificates: https://github.com/OPCFoundati…..ficates.md
To be totally clear, I’m not asking about “Issuer” concept. I’m asking about the “User” and “Https” stores. They don’t seem to do anything.
Here is the text from that readme:
- The Issuer User store /issuerUser which contains user certificates which are used to validate user certificates.
- The Trusted User store /trustedUser which contains user certificates which are trusted by an application. To establish trust, the same rules apply as explained for the Trusted and the Issuer store.
- The Issuer Https store /issuerHttps which contains https certificates which are used to validate https connection certificates.
- The Trusted Https store /trustedHttps which contains https certificates which are trusted by an application. To establish trust, the same rules apply as explained for the Trusted and the Issuer store.
05/30/2017
The logic for authenticating user tokens depends on the server implementation. With the .NET Server there is an example here: https://github.com/OPCFoundati…..entication
The user TrustList is used to validate user certificates.
The HTTPS TrustList is used to validate HTTPS certificates.
If it is not working then there either a sample bug or a configuration problem.
04/14/2020
Randy Armstrong said
The logic for authenticating user tokens depends on the server implementation. With the .NET Server there is an example here: https://github.com/OPCFoundati…..enticationThe user TrustList is used to validate user certificates.
What I’m seeing is that sample does not use the “trustedUser” folder, it only uses the “trusted” folder. Which kind of gets to the crux of my question. I’m trying to understand if using the “trusted” folder is intended to be for *any* certificates that are trusted (whether for users or https)?
But if you want to segregate them, the intent is that you can put the certificates for Users and Https in separate folders, if needed?
Looking at the source code for the .NET server library, I can’t find anywhere that the User or Https configuration stores are referenced.
Specifically, these properties in ApplicationConfiguration.cs don’t seem to be referenced anywhere in the UA Core Library solution:
public CertificateTrustList UserIssuerCertificates
public CertificateTrustList TrustedUserCertificates
public CertificateTrustList HttpsIssuerCertificates
public CertificateTrustList TrustedHttpsCertificates
04/14/2020
Randy Armstrong said
If it is not working then there either a sample bug or a configuration problem.
Okay, I had interpreted the comment above to be saying the problem was *not* in the libraries, but was in the sample or configuration.
But just to clarify, you’ve stated that the intent is:
“The user TrustList is used to validate user certificates.
The HTTPS TrustList is used to validate HTTPS certificates.”
So I’ll go ahead and report a bug then if that was the intended behavior.
So, that still leaves the open question about “TrustedPeerCertificates” (folder named “trusted” by default). What are the certificates in this store used for? Is the intent that they will be trusted for Users *and* https? Or for some other type of trust?
Thank you again for taking the time to respond and my apologies for the long continuing barrage of questions on this, I’m just really trying to get a handle on all of the various uses of certificates in the library.
1 Guest(s)