Error: Certificate with subject="XYZ" in the configuration is invalid.|OPC UA Implementation: Stacks, Tools, and Samples|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Error: Certificate with subject="XYZ" in the configuration is invalid.
Avatar
Loko Vik
Member
Members
Forum Posts: 15
Member Since:
08/10/2022
sp_UserOfflineSmall Offline
1
04/20/2023 - 08:31
sp_Permalink sp_Print sp_EditHistory

Hello Everyone,

 

Situation: I would like to use CA signed certificate in my application, rather than application self-signed certificate.

 

My approach: With the help of Certificate Generator, I created a self-signed CA certificate (using self-signed for testing purpose). Below command was used,

Opc.Ua.CertificateGenerator -cmd issue -sp “CA_STORAGE_PATH” -sn CN=XY/O=YZ -ca true 

Then I created server(/client) certificate with following command,

Opc.Ua.CertificateGenerator -cmd issue -sp “SERVER_STORAGE_PATH” -au APPLICATION_URI -sn “CN=SERVER_DEFINED_SUBJECT_NAME/O=YZ” -ikf “CA_PRIVATE_PATH_FILE”

 

I have installed CA’s public key on the computer. Also, I placed public and private keys of the server at the own directory and public key of the server at trusted directory on the computer.

 

Problem: When I am starting my server, it is recognizing the certificate. But it is throwing an error as “The certificate with subject “CN=SERVER_DEFINED_SUBJECT_NAME/O=YZ” in the configuration is invalid.”

 

Am I missing anything in configuration while generating the certificate? There one strange thing in public server certificate. In properties of the certificate, in basic constraints subject type is CA. However, in self-signed this subject type is End Entity. But there no way to set this property in the certificate.

Any lead is highly appreciated. Thanks in advance!

Regards!

Avatar
Randy Armstrong
Admin
Forum Posts: 1579
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
04/22/2023 - 19:52
sp_Permalink sp_Print

If you issue a certificate with a CA the the CA certificate needs to be in the issuer or trust list for the application.

See the following for the directories:

    <!-- Where the issuer certificate are stored (certificate authorities) -->
    <TrustedIssuerCertificates>
      <StoreType>Directory</StoreType>
      <StorePath>%CommonApplicationData%\OPC Foundation\pki\issuer</StorePath>
    </TrustedIssuerCertificates>

    <!-- Where the trust list is stored -->
    <TrustedPeerCertificates>
      <StoreType>Directory</StoreType>
      <StorePath>%CommonApplicationData%\OPC Foundation\pki\trusted</StorePath>
    </TrustedPeerCertificates>
Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 32
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1446
Posts: 4890