Certificate issuer is not trusted|OPC UA Implementation: Stacks, Tools, and Samples|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Certificate issuer is not trusted
Avatar
Sander
New Member
Members
Forum Posts: 2
Member Since:
07/18/2018
sp_UserOfflineSmall Offline
1
07/25/2018 - 02:50
sp_Permalink sp_Print sp_EditHistory

Hello,

I am using the most recent version of UA-.NETStandard from GitHub. I connect to a real PLC which is running a OPC UA Server. I am experiencing some problems with certificates and validation. I always got the message below:

Certificate issuer is not trusted.
SubjectName: O=Siemens, C=DE, CN=PLC-1/OPCUA-1-6
IssuerName: O=Siemens, C=DE, CN=Siemens TIA Project(211MUvNEwEGtCWSwY5877g)’

I have already moved the *.der file to the trusted folders but it’s solving my problem.

I am developing a .NET Core 2.1 application. What strikes me is that it’s working for a .NET 4.6 application. I used both samples within the GitHub repository, the NetCoreConsoleClient gives me a ‘Certificate issuer is not trusted’ while in the .NET 4.6 application I can connect without trouble.

What should I do have to solve this?

Best regards,

Sander

Avatar
Randy Armstrong
Admin
Forum Posts: 1580
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
07/25/2018 - 10:23
sp_Permalink sp_Print

The cert is not self-signed (issuer is different from subject).

You need the issuer cert + and the CRL for the issuer in your trusted folder or the issuers folder.

Avatar
Sander
New Member
Members
Forum Posts: 2
Member Since:
07/18/2018
sp_UserOfflineSmall Offline
3
07/25/2018 - 12:03
sp_Permalink sp_Print sp_EditHistory

Hi Randy,

Thanks for your quick reply. This may be a stupid question but how do I get the certificate and the crl file from the Siemens PLC I am using. I only got the *.der file automatically generated in my rejected folder. This file seems to be from the server.

Sander

Avatar
Randy Armstrong
Admin
Forum Posts: 1580
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
07/26/2018 - 14:10
sp_Permalink sp_Print

The server may be returning an entire chain but the client side code needs to support extracting it.

You can disable checking for the CRL if you do not have it.

That said, if there is a CA then it must be centrally managed. You need to find out who is managing that CA and get the CA + CRL from them.

If the device has a “private” CA that only exists on that device then you have to get it by parsing the chain returned by the server.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 26
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1446
Posts: 4891