OPC UA Client Application Instance Certificate |OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
OPC UA Client Application Instance Certificate
Avatar
OPCUA USER
Member
Members
Forum Posts: 53
Member Since:
01/07/2022
sp_UserOfflineSmall Offline
1
07/28/2024 - 23:04
sp_Permalink sp_Print

Hi,

I have developed OPC UA SERVER application using CSharp(C#) language.

I have a requirement,

OPC UA Client shall use a tokenType of ANONYMOUS indicates that the Server does not require any user identification. In this case, the Client Application Instance Certificate is used as the user identification.

 

What is Client Application Instance Certificate?

How to send Client Application Instance Certificate to OPC UA Server by using UAExpert?

How to achieve this in UAExpert?

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
07/28/2024 - 23:27
sp_Permalink sp_Print

UAExpert automatically sends the Application Certificate to the Server when it connects.

It cannot connect if the Server is not configured to trust the Client certificate.

Avatar
OPCUA USER
Member
Members
Forum Posts: 53
Member Since:
01/07/2022
sp_UserOfflineSmall Offline
3
07/29/2024 - 05:00
sp_Permalink sp_Print

Hi,

Thanks for your reply.

Suppose, if client wants to use application instance certificate issued by “Certification Authority” instead of client sends application instance certificate to server implicitly.

So where do we need to maintain/copy the  “CLIENT application instance certificate” issued by Certification Authority in following  UAExpert PKI folders.

pki\own
pki\issuer
pki\trusted
pki
ejected
pki\issuerUser
pki\trustedUser

Our requirement is, OPA UA Client has to send the application instance certificate(X .509)( issued by Certification Authority) to OPC UA Server in “Anonymous User Identity Token” policy.

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
07/30/2024 - 00:13
sp_Permalink sp_Print

You can use the UAExpert UI to set a new Certificate.

You should not manipulate the file system directly.

Avatar
OPCUA USER
Member
Members
Forum Posts: 53
Member Since:
01/07/2022
sp_UserOfflineSmall Offline
5
10/15/2024 - 23:21
sp_Permalink sp_Print

Yes, it is correct, Unexpert automatically sends the Application Certificate to the Server when it connects.

Now I want to validate the client application instance certificate in OPC UA Server.

When UAExpert sends the application instance certificate to OPC UA Server in anonymous token policy, in server side X509IdentityToken x509Token object is getting null value.

How to validate the client application instance certificate in OPC UA Server?

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
6
10/16/2024 - 13:27
sp_Permalink sp_Print sp_EditHistory

This is done automatically by the SDK. You simply need to ensure your server is configured to trust the UAExpert certificate by adding the Certificate to the Server trust list.

In UA there are 2 levels of authentication:

1) Application

2) User

This exists because in OT users are only allowed to do tasks using verified software so the double authentication prevents users from using unverified applications.

X509IdentityToken are used for user authentication which is not used with an anonymous token policy.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 24
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1444
Posts: 4887