Certificate folders|OPC UA Implementation: Stacks, Tools, and Samples|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Certificate folders
Avatar
Peter Franklin
Member
Members
Forum Posts: 24
Member Since:
04/14/2020
sp_UserOfflineSmall Offline
1
06/04/2021 - 16:11
sp_Permalink sp_Print

We are developing an OPC UA server based on the .NET Standard sample server, and I have some questions about the certificate folders that are specified in the configuration file. I’m having some trouble understanding what each is intended for and when they are required to be used.

What is the difference between these folder sets:

trusted/issuer

trustedUser/issuerUser

trustedHttps/issuerHttps

From reading the documentation it isn’t really clear to me when you’d use each of these folders. Are the “User” folders only intended for UserAuthentication, whereas the “Https” folders are only intended for transport encryption?

Then what about the base “trusted” and “issuer”? How do they differ from the others?

Avatar
Randy Armstrong
Admin
Forum Posts: 1580
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
06/05/2021 - 13:12
sp_Permalink sp_Print

See: https://reference.opcfoundatio…../docs/F.1/

The validation of certificates follows the chain and looks in both the trusted and issuers folders for CAs in the chain.

If the certificate is validate the app then checks for trust by verifying that at least one certificate in the chain is in the trusted folder.

The dual folder approach allows admins to have complete control over who has access to a UA application.

Avatar
Peter Franklin
Member
Members
Forum Posts: 24
Member Since:
04/14/2020
sp_UserOfflineSmall Offline
3
06/07/2021 - 15:32
sp_Permalink sp_Print

Randy, thank you for your reply. That does help me understand the distinction between “trusted” and “issuer”. I had more questions related to certificate folders, authentication and encryption.

1) What about the “*User” and “*Https” folders? When do those get used? The link to the spec you provided does not refer to these folders, and I haven’t been able to figure out what they are used for.

2) How is Https transport encryption set up? What needs to be configured in the config file on the server, where do https certificates get stored, and what needs to be provided on the client side, if anything?

3) For User Authentication, is the “trustedUser” folder supposed to work? I find that establishing a session with a UserIdentity containing a certificate only works if the certificate is in the server’s “trusted” folder, but doesn’t work when in the “trustedUser” folder.

Thanks again for taking the time to respond.

Avatar
Randy Armstrong
Admin
Forum Posts: 1580
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
06/07/2021 - 16:30
sp_Permalink sp_Print sp_EditHistory

1) The “trusted” and “issuer” folders in the appendix are collectively called a “TrustList” (whenever you see that term in the spec remember it means multiple lists that are used to validate and determine trust).  A server can have multiple TrustLists for different purposes. For example, a server with two NICs could have one TrustList for each NIC. The HTTPS TrustList is used for TLS. The User TrustList is used to validate Certificates provided as UserIdentityTokens.

2) Configuring HTTPS depends on your OS and development environment. In .NET you can add a ServicePoint handler to manually determine trust for certificates that are not trusted by the OS. Of course, this means you may have a big trust hole because the OS couldl accept some certificates automatically which is why OPC UA does not rely on TLS for security.

3) The logic for authenticating user tokens depends on the server implementation. With the .NET Server there is an example here: https://github.com/OPCFoundati…..entication

Avatar
Peter Franklin
Member
Members
Forum Posts: 24
Member Since:
04/14/2020
sp_UserOfflineSmall Offline
5
06/08/2021 - 09:52
sp_Permalink sp_Print sp_EditHistory

Randy, thanks again for replying. There is still an open question though about the folders that have “https” and “user” in their names, the ones that are referred to in the github readme on certificates: https://github.com/OPCFoundati…..ficates.md

To be totally clear, I’m not asking about “Issuer” concept. I’m asking about the “User” and “Https” stores. They don’t seem to do anything.

Here is the text from that readme:

  • The Issuer User store /issuerUser which contains user certificates which are used to validate user certificates.
  • The Trusted User store /trustedUser which contains user certificates which are trusted by an application. To establish trust, the same rules apply as explained for the Trusted and the Issuer store.
  • The Issuer Https store /issuerHttps which contains https certificates which are used to validate https connection certificates.
  • The Trusted Https store /trustedHttps which contains https certificates which are trusted by an application. To establish trust, the same rules apply as explained for the Trusted and the Issuer store.
Avatar
Randy Armstrong
Admin
Forum Posts: 1580
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
6
06/09/2021 - 00:21
sp_Permalink sp_Print

The logic for authenticating user tokens depends on the server implementation. With the .NET Server there is an example here: https://github.com/OPCFoundati…..entication

The user TrustList is used to validate user certificates.

The HTTPS TrustList is used to validate HTTPS certificates.

If it is not working then there either a sample bug or a configuration problem.

Avatar
Peter Franklin
Member
Members
Forum Posts: 24
Member Since:
04/14/2020
sp_UserOfflineSmall Offline
7
06/09/2021 - 11:09
sp_Permalink sp_Print sp_EditHistory

Randy Armstrong said
The logic for authenticating user tokens depends on the server implementation. With the .NET Server there is an example here: https://github.com/OPCFoundati…..entication

The user TrustList is used to validate user certificates.

  

What I’m seeing is that sample does not use the “trustedUser” folder, it only uses the “trusted” folder. Which kind of gets to the crux of my question. I’m trying to understand if using the “trusted” folder is intended to be for *any* certificates that are trusted (whether for users or https)?

But if you want to segregate them, the intent is that you can put the certificates for Users and Https in separate folders, if needed?

Looking at the source code for the .NET server library, I can’t find anywhere that the User or Https configuration stores are referenced.

Specifically, these properties in ApplicationConfiguration.cs don’t seem to be referenced anywhere in the UA Core Library solution:

public CertificateTrustList UserIssuerCertificates
public CertificateTrustList TrustedUserCertificates
public CertificateTrustList HttpsIssuerCertificates
public CertificateTrustList TrustedHttpsCertificates

Avatar
Randy Armstrong
Admin
Forum Posts: 1580
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
8
06/09/2021 - 20:37
sp_Permalink sp_Print

As I said, there may be a bug in the samples or libraries. The behavior I described is intended. 

Avatar
Peter Franklin
Member
Members
Forum Posts: 24
Member Since:
04/14/2020
sp_UserOfflineSmall Offline
9
06/10/2021 - 09:10
sp_Permalink sp_Print sp_EditHistory

Randy Armstrong said
If it is not working then there either a sample bug or a configuration problem.  

Okay, I had interpreted the comment above to be saying the problem was *not* in the libraries, but was in the sample or configuration.

 

But just to clarify, you’ve stated that the intent is:

“The user TrustList is used to validate user certificates.

The HTTPS TrustList is used to validate HTTPS certificates.”

So I’ll go ahead and report a bug then if that was the intended behavior.

 

So, that still leaves the open question about “TrustedPeerCertificates” (folder named “trusted” by default). What are the certificates in this store used for? Is the intent that they will be trusted for Users *and* https? Or for some other type of trust?

 

Thank you again for taking the time to respond and my apologies for the long continuing barrage of questions on this, I’m just really trying to get a handle on all of the various uses of certificates in the library.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 33
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1446
Posts: 4891