08/10/2022
Hello Everyone,
Situation: I would like to use CA signed certificate in my application, rather than application self-signed certificate.
My approach: With the help of Certificate Generator, I created a self-signed CA certificate (using self-signed for testing purpose). Below command was used,
Opc.Ua.CertificateGenerator -cmd issue -sp “CA_STORAGE_PATH” -sn CN=XY/O=YZ -ca true
Then I created server(/client) certificate with following command,
Opc.Ua.CertificateGenerator -cmd issue -sp “SERVER_STORAGE_PATH” -au APPLICATION_URI -sn “CN=SERVER_DEFINED_SUBJECT_NAME/O=YZ” -ikf “CA_PRIVATE_PATH_FILE”
I have installed CA’s public key on the computer. Also, I placed public and private keys of the server at the own directory and public key of the server at trusted directory on the computer.
Problem: When I am starting my server, it is recognizing the certificate. But it is throwing an error as “The certificate with subject “CN=SERVER_DEFINED_SUBJECT_NAME/O=YZ” in the configuration is invalid.”
Am I missing anything in configuration while generating the certificate? There one strange thing in public server certificate. In properties of the certificate, in basic constraints subject type is CA. However, in self-signed this subject type is End Entity. But there no way to set this property in the certificate.
Any lead is highly appreciated. Thanks in advance!
Regards!
05/30/2017
If you issue a certificate with a CA the the CA certificate needs to be in the issuer or trust list for the application.
See the following for the directories:
<!-- Where the issuer certificate are stored (certificate authorities) --> <TrustedIssuerCertificates> <StoreType>Directory</StoreType> <StorePath>%CommonApplicationData%\OPC Foundation\pki\issuer</StorePath> </TrustedIssuerCertificates> <!-- Where the trust list is stored --> <TrustedPeerCertificates> <StoreType>Directory</StoreType> <StorePath>%CommonApplicationData%\OPC Foundation\pki\trusted</StorePath> </TrustedPeerCertificates>
1 Guest(s)