Application certificate cannot be found|OPC UA Standard|Forum|OPC Foundation

Thank you for replying, Randy. I didn’t worry about security because as I said the network is complete isolated. There is no way for anyone to get access to the network. In fact, I connect from opc watch without certificate, because endpoint has no security policy at all. Anyway, at the begining I received an exception with the message “you must specify a certificate” or something like that, so I am trying to set a certificate to my client despite it is not needed from server side.

About your steps, I have a doubt: how can I create the certificate for my client? What is the step before 1?

Actually I have a certificate that I get from Kepserver connecting from OPC Watch with encryption enable. Kepserver has returned a certificate to the client in both pfx and der formats, and these are the files that I have copied to my .net client. However, my .net client still says that certificate is not found, despite there are two files in the StorePath.  

Could the problem be on the way the certificate has been created? What is the correct way to create my client certificate?

Again thanks for your reply and your time.

I have modified the code following your comments and the reference client, Randy. CheckApplicationInstanceCertificate is returning true. And I have set AutoAcceptUntrustedCertificates to "true" in my client.Config.xml.

However, I am receiving a new error in this case: Value cannot be null. (Parameter 'serverCertificate').

This is my actual code:

var endpointUrl = "opc.tcp://192.168.21.75:49321";
var endpointDescription = new EndpointDescription
{
   EndpointUrl = endpointUrl
};

 ApplicationInstance application = new ApplicationInstance
{
   ApplicationName = "OPC_UA_Alerts",
   ApplicationType = ApplicationType.Client,
   ConfigSectionName = "client"
};

bool appCert = await application.CheckApplicationInstanceCertificate(false, 0).ConfigureAwait(false);
if (!appCert)
{
   throw new Exception("Application instance certificate invalid!");
}

EndpointConfiguration endpointConfiguration = EndpointConfiguration.Create(application.ApplicationConfiguration);
ConfiguredEndpoint endpoint = new ConfiguredEndpoint(null, endpointDescription, endpointConfiguration);

var userIdentity = new UserIdentity("netdot", "1234");

var session = await Session.Create(application.ApplicationConfiguration, endpoint, false, application.ApplicationName, 60000, userIdentity, null);

And This is the file client.Config.xml. I have get it from the reference client:

<?xml version="1.0" encoding="utf-8"?>
<ApplicationConfiguration
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:ua="https://opcfoundation.org/UA/2008/02/Types.xsd"
xmlns="https://opcfoundation.org/UA/SDK/Configuration.xsd"
>
<ApplicationName>Quickstart Console Reference Client</ApplicationName>
<ApplicationUri>urn:localhost:UA:Quickstarts:ReferenceClient</ApplicationUri>
<ProductUri>uri:opcfoundation.org:Quickstarts:ReferenceClient</ProductUri>
<ApplicationType>Client_1</ApplicationType>

<SecurityConfiguration>

<!-- Where the application instance certificate is stored (MachineDefault) -->
<ApplicationCertificate>
<StoreType>Directory</StoreType>
<StorePath>%LocalApplicationData%/OPC Foundation/pki/own</StorePath>
<SubjectName>CN=Console Reference Client, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName>
</ApplicationCertificate>

<!-- Where the issuer certificate are stored (certificate authorities) -->
<TrustedIssuerCertificates>
<StoreType>Directory</StoreType>
<StorePath>%LocalApplicationData%/OPC Foundation/pki/issuer</StorePath>
</TrustedIssuerCertificates>

<!-- Where the trust list is stored -->
<TrustedPeerCertificates>
<StoreType>Directory</StoreType>
<StorePath>%LocalApplicationData%/OPC Foundation/pki/trusted</StorePath>
</TrustedPeerCertificates>

<!-- The directory used to store invalid certificates for later review by the administrator. -->
<RejectedCertificateStore>
<StoreType>Directory</StoreType>
<StorePath>%LocalApplicationData%/OPC Foundation/pki/rejected</StorePath>
</RejectedCertificateStore>

<!-- WARNING: The following setting (to automatically accept untrusted certificates) should be used
for easy debugging purposes ONLY and turned off for production deployments! -->
<AutoAcceptUntrustedCertificates>true</AutoAcceptUntrustedCertificates>

<!-- WARNING: SHA1 signed certificates are by default rejected and should be phased out.
only nano and embedded profiles are allowed to use sha1 signed certificates. -->
<RejectSHA1SignedCertificates>true</RejectSHA1SignedCertificates>
<RejectUnknownRevocationStatus>true</RejectUnknownRevocationStatus>
<MinimumCertificateKeySize>2048</MinimumCertificateKeySize>
<AddAppCertToTrustedStore>false</AddAppCertToTrustedStore>
<SendCertificateChain>true</SendCertificateChain>

<!-- Where the User trust list is stored-->
<TrustedUserCertificates>
<StoreType>Directory</StoreType>
<StorePath>%LocalApplicationData%/OPC Foundation/pki/trustedUser</StorePath>
</TrustedUserCertificates>

</SecurityConfiguration>

<TransportConfigurations></TransportConfigurations>

<TransportQuotas>
<OperationTimeout>120000</OperationTimeout>
<MaxStringLength>4194304</MaxStringLength>
<MaxByteStringLength>4194304</MaxByteStringLength>
<MaxArrayLength>65535</MaxArrayLength>
<MaxMessageSize>4194304</MaxMessageSize>
<MaxBufferSize>65535</MaxBufferSize>
<ChannelLifetime>300000</ChannelLifetime>
<SecurityTokenLifetime>3600000</SecurityTokenLifetime>
</TransportQuotas>

<ClientConfiguration>
<DefaultSessionTimeout>60000</DefaultSessionTimeout>
<WellKnownDiscoveryUrls>
<ua:String>opc.tcp://{0}:4840</ua:String>
<ua:String>http://{0}:52601/UADiscovery</ua:String>
<ua:String>http://{0}/UADiscovery/Default.svc</ua:String>
</WellKnownDiscoveryUrls>
<DiscoveryServers></DiscoveryServers>
<MinSubscriptionLifetime>10000</MinSubscriptionLifetime>

<OperationLimits>
<MaxNodesPerRead>2500</MaxNodesPerRead>
<MaxNodesPerHistoryReadData>1000</MaxNodesPerHistoryReadData>
<MaxNodesPerHistoryReadEvents>1000</MaxNodesPerHistoryReadEvents>
<MaxNodesPerWrite>2500</MaxNodesPerWrite>
<MaxNodesPerHistoryUpdateData>1000</MaxNodesPerHistoryUpdateData>
<MaxNodesPerHistoryUpdateEvents>1000</MaxNodesPerHistoryUpdateEvents>
<MaxNodesPerMethodCall>2500</MaxNodesPerMethodCall>
<MaxNodesPerBrowse>2500</MaxNodesPerBrowse>
<MaxNodesPerRegisterNodes>2500</MaxNodesPerRegisterNodes>
<MaxNodesPerTranslateBrowsePathsToNodeIds>2500</MaxNodesPerTranslateBrowsePathsToNodeIds>
<MaxNodesPerNodeManagement>2500</MaxNodesPerNodeManagement>
<MaxMonitoredItemsPerCall>2500</MaxMonitoredItemsPerCall>
</OperationLimits>

</ClientConfiguration>

<Extensions>
</Extensions>

<TraceConfiguration>
<OutputFilePath>%LocalApplicationData%/OPC Foundation/Logs/Quickstarts.ReferenceClient.log.txt</OutputFilePath>
<DeleteOnLoad>true</DeleteOnLoad>
<!-- Show Only Errors -->
<!-- <TraceMasks>1</TraceMasks> -->
<!-- Show Only Security and Errors -->
<!-- <TraceMasks>513</TraceMasks> -->
<!-- Show Only Security, Errors and Trace -->
<!-- <TraceMasks>515</TraceMasks> -->
<!-- Show Only Security, COM Calls, Errors and Trace -->
<!-- <TraceMasks>771</TraceMasks> -->
<!-- Show Only Security, Service Calls, Errors and Trace -->
<!-- <TraceMasks>523</TraceMasks> -->
<!-- Show Only Security, ServiceResultExceptions, Errors and Trace -->
<!-- <TraceMasks>519</TraceMasks> -->
</TraceConfiguration>

</ApplicationConfiguration>

Thank you Randy, this works but a new error is been raised now: Certificate is not trusted. I am comparing my code with the ConsoleReferenceClient, but I realized that this error is triggering in the Reference Client also. I set in the Reference Client my serverurl, username and password, and this is the output:

It seems that the client does not accept the server certificate, probably because it is self-signed. I tried installing the server certificate in my trusted root certification authorities certificate store, but it didn't solve the problem. I also tried to set these couple of settings in config.xml

<AutoAcceptUntrustedCertificates>true</AutoAcceptUntrustedCertificates>

<RejectSHA1SignedCertificates>false</RejectSHA1SignedCertificates>

Non of them worked. I am afraid I need to make the Reference Client working before writing my own client. How can I solve this new error?

Thank you for your time.

I think there are two sides, right? Server must trust the client and client must trust the server. According the error message of my previous post, client is rejecting the server certificate. How can I make client trust the server's self-signed certificate?

There is no problem in server side. Client certificates appear in the configuration manager. Just clicking on "trust" the client is able to comunicate. I have other clients working: OPC Watch and Wonderware Historian.

This is what I do in server side. When a new client connects to server, this error is triggering due the client certificate is not trusted:

In server side, the client certificate appears in the OPC UA Configuration Manager. Just click on "Trust" and the next connection will be established succesfully.

My problem now with Reference Client (and also with my own client): certificate doesn't appear in OPC UA Configuration Manager and this error is triggering: 

Now I don't know which certificate the error is referring to, the client's or the server's. The subject showed in the error is about the server certificate, so I am assuming the client does not trust the server's certificate. I've been stuck at this point for several days.