Application certificate cannot be found|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Application certificate cannot be found
Avatar
Sergio Teijido
Member
Members
Forum Posts: 7
Member Since:
03/26/2024
sp_UserOfflineSmall Offline
1
03/26/2024 - 10:01
sp_Permalink sp_Print

Hello, I am trying to write my first OPC client application. My server is KepserverEX 6 and I am receiving the error of the topic when trying to connect to the server. The certificate is located in folder CertificateStores\App\private inside the project folder and was issued by Kepserver.

I don’t know where I am wrong, this is my code:

var endpointUrl = “opc.tcp://192.168.21.75:49321”;

var endpointDescription = new EndpointDescription
{
   EndpointUrl = endpointUrl
};

var applicationConfiguration = new ApplicationConfiguration
{
   ApplicationName = “OPC_alerts”,
   ApplicationType = ApplicationType.Client,
   SecurityConfiguration = new SecurityConfiguration
   {
       ApplicationCertificate = new CertificateIdentifier
       {
           StoreType = @”Directory”,
           StorePath = @”CertificateStores\App\private”,
           SubjectName = “CN=OPC_alerts”
       }
   }
};

var endpointConfiguration = EndpointConfiguration.Create(applicationConfiguration);
var endpoint = new ConfiguredEndpoint(null, endpointDescription, endpointConfiguration);
var userIdentity = new UserIdentity(“netdot”, “12345”);

var session = await Session.Create(applicationConfiguration, endpoint, false, “OPC_alerts”, 60000, userIdentity, null);

 

In the other hand, the endpoint of my server is configured without encryption (security policy: none). I only use user and password because server and client are both in a isolated network without internet access. Is really needed to have a certificate in my scenario? could I connect to my server without certicate?

Thanks in advance for your help.

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
03/27/2024 - 11:13
sp_Permalink sp_Print

It is a bit confusing what you are doing.

You need to do the following:

1) Assign a certificate to your client.

2) Add the certificate to KepServerEX trust list (see KepServerEX documentation);

3) Add the KepServerEX to your client’s trust list.

There is no point wasting time with a password because, without a certificate, the password is sent in plain text and anyone connected to the network can see it.

Avatar
Sergio Teijido
Member
Members
Forum Posts: 7
Member Since:
03/26/2024
sp_UserOfflineSmall Offline
3
03/28/2024 - 17:06
sp_Permalink sp_Print

Thank you for replying, Randy. I didn’t worry about security because as I said the network is complete isolated. There is no way for anyone to get access to the network. In fact, I connect from opc watch without certificate, because endpoint has no security policy at all. Anyway, at the begining I received an exception with the message “you must specify a certificate” or something like that, so I am trying to set a certificate to my client despite it is not needed from server side.

About your steps, I have a doubt: how can I create the certificate for my client? What is the step before 1?

Actually I have a certificate that I get from Kepserver connecting from OPC Watch with encryption enable. Kepserver has returned a certificate to the client in both pfx and der formats, and these are the files that I have copied to my .net client. However, my .net client still says that certificate is not found, despite there are two files in the StorePath.  

Could the problem be on the way the certificate has been created? What is the correct way to create my client certificate?

Again thanks for your reply and your time.

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
04/01/2024 - 06:42
sp_Permalink sp_Print

The client should automatically create a certificate when it starts if it does not have one.

See this code in the ReferenceClient:

https://github.com/OPCFoundati…..Program.cs

// check the application certificate.
var certOK = application.CheckApplicationInstanceCertificate(false, 0).Result;
if (!certOK)
{
throw new Exception(“Application instance certificate invalid!”);
}

Avatar
Sergio Teijido
Member
Members
Forum Posts: 7
Member Since:
03/26/2024
sp_UserOfflineSmall Offline
5
04/04/2024 - 06:20
sp_Permalink sp_Print

I have modified the code following your comments and the reference client, Randy. CheckApplicationInstanceCertificate is returning true. And I have set AutoAcceptUntrustedCertificates to “true” in my client.Config.xml.

However, I am receiving a new error in this case: Value cannot be null. (Parameter ‘serverCertificate’).

This is my actual code:

var endpointUrl = “opc.tcp://192.168.21.75:49321”;
var endpointDescription = new EndpointDescription
{
   EndpointUrl = endpointUrl
};

 ApplicationInstance application = new ApplicationInstance
{
   ApplicationName = “OPC_UA_Alerts”,
   ApplicationType = ApplicationType.Client,
   ConfigSectionName = “client”
};

bool appCert = await application.CheckApplicationInstanceCertificate(false, 0).ConfigureAwait(false);
if (!appCert)
{
   throw new Exception(“Application instance certificate invalid!”);
}

EndpointConfiguration endpointConfiguration = EndpointConfiguration.Create(application.ApplicationConfiguration);
ConfiguredEndpoint endpoint = new ConfiguredEndpoint(null, endpointDescription, endpointConfiguration);

var userIdentity = new UserIdentity(“netdot”, “1234”);

var session = await Session.Create(application.ApplicationConfiguration, endpoint, false, application.ApplicationName, 60000, userIdentity, null);

 

And This is the file client.Config.xml. I have get it from the reference client:

<?xml version=”1.0″ encoding=”utf-8″?>
<ApplicationConfiguration
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xmlns:ua=”https://opcfoundation.org/UA/2008/02/Types.xsd”
xmlns=”https://opcfoundation.org/UA/SDK/Configuration.xsd”
>
<ApplicationName>Quickstart Console Reference Client</ApplicationName>
<ApplicationUri>urn:localhost:UA:Quickstarts:ReferenceClient</ApplicationUri>
<ProductUri>uri:opcfoundation.org:Quickstarts:ReferenceClient</ProductUri>
<ApplicationType>Client_1</ApplicationType>

<SecurityConfiguration>

<!– Where the application instance certificate is stored (MachineDefault) –>
<ApplicationCertificate>
<StoreType>Directory</StoreType>
<StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
<SubjectName>CN=Console Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
</ApplicationCertificate>

<!– Where the issuer certificate are stored (certificate authorities) –>
<TrustedIssuerCertificates>
<StoreType>Directory</StoreType>
<StorePath>%LocalApplicationData%/OPC Foundation/pki/issuer</StorePath>
</TrustedIssuerCertificates>

<!– Where the trust list is stored –>
<TrustedPeerCertificates>
<StoreType>Directory</StoreType>
<StorePath>%LocalApplicationData%/OPC Foundation/pki/trusted</StorePath>
</TrustedPeerCertificates>

<!– The directory used to store invalid certificates for later review by the administrator. –>
<RejectedCertificateStore>
<StoreType>Directory</StoreType>
<StorePath>%LocalApplicationData%/OPC Foundation/pki/rejected</StorePath>
</RejectedCertificateStore>

<!– WARNING: The following setting (to automatically accept untrusted certificates) should be used
for easy debugging purposes ONLY and turned off for production deployments! –>
<AutoAcceptUntrustedCertificates>true</AutoAcceptUntrustedCertificates>

<!– WARNING: SHA1 signed certificates are by default rejected and should be phased out.
only nano and embedded profiles are allowed to use sha1 signed certificates. –>
<RejectSHA1SignedCertificates>true</RejectSHA1SignedCertificates>
<RejectUnknownRevocationStatus>true</RejectUnknownRevocationStatus>
<MinimumCertificateKeySize>2048</MinimumCertificateKeySize>
<AddAppCertToTrustedStore>false</AddAppCertToTrustedStore>
<SendCertificateChain>true</SendCertificateChain>

<!– Where the User trust list is stored–>
<TrustedUserCertificates>
<StoreType>Directory</StoreType>
<StorePath>%LocalApplicationData%/OPC Foundation/pki/trustedUser</StorePath>
</TrustedUserCertificates>

</SecurityConfiguration>

<TransportConfigurations></TransportConfigurations>

<TransportQuotas>
<OperationTimeout>120000</OperationTimeout>
<MaxStringLength>4194304</MaxStringLength>
<MaxByteStringLength>4194304</MaxByteStringLength>
<MaxArrayLength>65535</MaxArrayLength>
<MaxMessageSize>4194304</MaxMessageSize>
<MaxBufferSize>65535</MaxBufferSize>
<ChannelLifetime>300000</ChannelLifetime>
<SecurityTokenLifetime>3600000</SecurityTokenLifetime>
</TransportQuotas>

<ClientConfiguration>
<DefaultSessionTimeout>60000</DefaultSessionTimeout>
<WellKnownDiscoveryUrls>
<ua:String>opc.tcp://{0}:4840</ua:String>
<ua:String>http://{0}:52601/UADiscovery</ua:String>
<ua:String>http://{0}/UADiscovery/Default.svc</ua:String>
</WellKnownDiscoveryUrls>
<DiscoveryServers></DiscoveryServers>
<MinSubscriptionLifetime>10000</MinSubscriptionLifetime>

<OperationLimits>
<MaxNodesPerRead>2500</MaxNodesPerRead>
<MaxNodesPerHistoryReadData>1000</MaxNodesPerHistoryReadData>
<MaxNodesPerHistoryReadEvents>1000</MaxNodesPerHistoryReadEvents>
<MaxNodesPerWrite>2500</MaxNodesPerWrite>
<MaxNodesPerHistoryUpdateData>1000</MaxNodesPerHistoryUpdateData>
<MaxNodesPerHistoryUpdateEvents>1000</MaxNodesPerHistoryUpdateEvents>
<MaxNodesPerMethodCall>2500</MaxNodesPerMethodCall>
<MaxNodesPerBrowse>2500</MaxNodesPerBrowse>
<MaxNodesPerRegisterNodes>2500</MaxNodesPerRegisterNodes>
<MaxNodesPerTranslateBrowsePathsToNodeIds>2500</MaxNodesPerTranslateBrowsePathsToNodeIds>
<MaxNodesPerNodeManagement>2500</MaxNodesPerNodeManagement>
<MaxMonitoredItemsPerCall>2500</MaxMonitoredItemsPerCall>
</OperationLimits>

</ClientConfiguration>

<Extensions>
</Extensions>

<TraceConfiguration>
<OutputFilePath>%LocalApplicationData%/OPC Foundation/Logs/Quickstarts.ReferenceClient.log.txt</OutputFilePath>
<DeleteOnLoad>true</DeleteOnLoad>
<!– Show Only Errors –>
<!– <TraceMasks>1</TraceMasks> –>
<!– Show Only Security and Errors –>
<!– <TraceMasks>513</TraceMasks> –>
<!– Show Only Security, Errors and Trace –>
<!– <TraceMasks>515</TraceMasks> –>
<!– Show Only Security, COM Calls, Errors and Trace –>
<!– <TraceMasks>771</TraceMasks> –>
<!– Show Only Security, Service Calls, Errors and Trace –>
<!– <TraceMasks>523</TraceMasks> –>
<!– Show Only Security, ServiceResultExceptions, Errors and Trace –>
<!– <TraceMasks>519</TraceMasks> –>
</TraceConfiguration>

</ApplicationConfiguration>

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
6
04/07/2024 - 04:14
sp_Permalink sp_Print

You need to get the EndpointDescription from the Server first:

endpointDescription = CoreClientUtils.SelectEndpoint(m_configuration, serverUrl, useSecurity);

Avatar
Sergio Teijido
Member
Members
Forum Posts: 7
Member Since:
03/26/2024
sp_UserOfflineSmall Offline
7
04/11/2024 - 06:58
sp_Permalink sp_Print

Thank you Randy, this works but a new error is been raised now: Certificate is not trusted. I am comparing my code with the ConsoleReferenceClient, but I realized that this error is triggering in the Reference Client also. I set in the Reference Client my serverurl, username and password, and this is the output:

Image Enlarger

It seems that the client does not accept the server certificate, probably because it is self-signed. I tried installing the server certificate in my trusted root certification authorities certificate store, but it didn’t solve the problem. I also tried to set these couple of settings in config.xml

<AutoAcceptUntrustedCertificates>true</AutoAcceptUntrustedCertificates>

<RejectSHA1SignedCertificates>false</RejectSHA1SignedCertificates>

Non of them worked. I am afraid I need to make the Reference Client working before writing my own client. How can I solve this new error?

Thank you for your time.

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
8
04/11/2024 - 08:34
sp_Permalink sp_Print

The server have to trust the client.

Check the server log messages.

Avatar
Sergio Teijido
Member
Members
Forum Posts: 7
Member Since:
03/26/2024
sp_UserOfflineSmall Offline
9
04/12/2024 - 00:40
sp_Permalink sp_Print

I think there are two sides, right? Server must trust the client and client must trust the server. According the error message of my previous post, client is rejecting the server certificate. How can I make client trust the server’s self-signed certificate?

There is no problem in server side. Client certificates appear in the configuration manager. Just clicking on “trust” the client is able to comunicate. I have other clients working: OPC Watch and Wonderware Historian.

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
10
04/14/2024 - 03:30
sp_Permalink sp_Print

Yes two sides. The server must trust the client and the client must trust the server.

Have you told the server to trust the correct client certificate?

Avatar
Sergio Teijido
Member
Members
Forum Posts: 7
Member Since:
03/26/2024
sp_UserOfflineSmall Offline
11
04/15/2024 - 04:07
sp_Permalink sp_Print

This is what I do in server side. When a new client connects to server, this error is triggering due the client certificate is not trusted:

Image Enlarger

In server side, the client certificate appears in the OPC UA Configuration Manager. Just click on “Trust” and the next connection will be established succesfully.

Image Enlarger

My problem now with Reference Client (and also with my own client): certificate doesn’t appear in OPC UA Configuration Manager and this error is triggering: 

Image Enlarger

Now I don’t know which certificate the error is referring to, the client’s or the server’s. The subject showed in the error is about the server certificate, so I am assuming the client does not trust the server’s certificate. I’ve been stuck at this point for several days.

Avatar
Sergio Teijido
Member
Members
Forum Posts: 7
Member Since:
03/26/2024
sp_UserOfflineSmall Offline
12
04/17/2024 - 03:34
sp_Permalink sp_Print

More info: when I run the reference client, the server’s certificate is being stored in folder /OPC Foundation/pki/rejected/certs, so clearly the client is rejecting the server’s certificate. 

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
13
04/20/2024 - 05:26
sp_Permalink sp_Print

The Server won’t put s Certificate into its rejected list because there is a fatal validation error.

The best way to understand what is going on is to review the server logs.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 23
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1444
Posts: 4887