How to validate OPC UA Client certificate in OPC UA Server|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
How to validate OPC UA Client certificate in OPC UA Server
Avatar
OPCUA USER
Member
Members
Forum Posts: 53
Member Since:
01/07/2022
sp_UserOfflineSmall Offline
1
05/31/2024 - 03:07
sp_Permalink sp_Print sp_EditHistory

I have developed OPC UA SERVER application using CSharp(C#) language.

I have one requirement:

OPC UA server shall validate the Client Certificate and verify that the Client is Authorized to access OPC UA server services, before allowing access to OPC UA server services

I have used the following folders to maintain certificates for OPC UA Server. I have created Self Signed certificate and put under OPC Foundation\pki\own\cert\

Server:

OPC Foundation\pki\own
OPC Foundation\pki\issuer
OPC Foundation\pki\trusted
OPC Foundation\pki
ejected
OPC Foundation\pki\issuerUser
OPC Foundation\pki\trustedUser

Client:

unifiedautomation\uaexpert\PKI\issuers
unifiedautomation\uaexpert\PKI\own
unifiedautomation\uaexpert\PKI
ejected
unifiedautomation\uaexpert\PKI\tls_issuers
unifiedautomation\uaexpert\PKI\trusted

Now my question is, how to send client certificate to server using UAExpert tool? and how to validate client certificate in server?

if it is not valid means then Server should send Bad_certificate error message

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
06/03/2024 - 09:30
sp_Permalink sp_Print

The UA protocol provides a mechanism for exchanging certificates.

So no special effort is required.

For you to connect successfully the server must trust the client certificate. To establish trust you have to manually copy the client certificate into the trusted folder on the server if you are not using CAs.

The server may save the client certificate in the rejected directory if the certificate is otherwise valid. During testing you can copy this certificate to the trusted folder but for production this is potentially dangerous.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 21
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1444
Posts: 4887