Trusting Certificate from Server running as Worker Service|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Trusting Certificate from Server running as Worker Service
Avatar
Justin Lipps
Member
Members
Forum Posts: 5
Member Since:
05/27/2020
sp_UserOfflineSmall Offline
1
06/08/2020 - 08:28
sp_Permalink sp_Print

I’m implementing an OPC UA server with the .NET standard reference implementation on GitHub. I’m starting the server (i.e. Server.Run()) from a windows .NET core worker background service. Everything is running fine except that the client certificate is rejected by the server.

I’ve manually placed each application instance certificate in the ‘trusted’ folder once ‘rejected’. I’ve also directly installed them in the CurrentUser\My windows store. 

This certificate is still rejected by the server. Is this a known bug, a misconfiguration, or just not currently possible with the OPC UA stack? Does this mean that, if I want to implement the Opc.Ua.Server stack as a service that I must always set AutoAcceptUntrustedCertificates to true? Any insight you can provide is appreciated.

Avatar
Randy Armstrong
Admin
Forum Posts: 1579
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
06/08/2020 - 13:45
sp_Permalink sp_Print

You need to turn on Server logging an look at the exact reason for the rejection.

It could be no CA, no CRL, expired or not yet valid.

Avatar
Justin Lipps
Member
Members
Forum Posts: 5
Member Since:
05/27/2020
sp_UserOfflineSmall Offline
3
06/08/2020 - 14:57
sp_Permalink sp_Print

When you say turn on “server logging”, which section to which are you referring?

For instance, do you mean enabling diagnostics, i.e. in the Server.Config.XML file => <DiagnosticsEnabled>true</DiagnosticsEnabled>

-OR-

I also tried logging the following details within the event handler: CertificateValidationEventHandler()

e.Error.StatusCode.ToString();
e.Error.AdditionalInfo.ToString();
e.Error.InnerResult.ToString();

Which returned:

Status code => BadCertificateUntrusted

Additional Info: >>> Certificate is not trusted.
SubjectName: CN=OPC UA Client, C=US, S=Pennsylvania, O=Sentinel Software, DC=localhost
IssuerName: CN=OPC UA Client, C=US, S=Pennsylvania, O=Sentinel Software, DC=localhost

— at Opc.Ua.CertificateValidator.InternalValidate(X509Certificate2Collection certificates) in …\Opc.Ua.Core\Security\Certificates\CertificateValidator.cs:line 846

— at Opc.Ua.CertificateValidator.Validate(X509Certificate2Collection chain) in    …\Opc.Ua.Core\Security\Certificates\CertificateValidator.cs:line 247

 

Which points to this exception on line 846 of CertificateValidator.cs:

if ((certificateKeyUsage & X509KeyUsageFlags.DataEncipherment) == 0)
{
     throw new ServiceResultException(StatusCodes.BadCertificateUseNotAllowed, “Usage of certificate is not allowed.”);
}

And the other points to this statement on line 247 of CertificateValidator.cs:

m_validatedCertificates[certificate.Thumbprint] = new X509Certificate2(certificate.RawData);

 

Thanks!

Please advise.

Avatar
Randy Armstrong
Admin
Forum Posts: 1579
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
06/08/2020 - 16:53
sp_Permalink sp_Print

How did your create your certificate?

Avatar
Justin Lipps
Member
Members
Forum Posts: 5
Member Since:
05/27/2020
sp_UserOfflineSmall Offline
5
06/11/2020 - 06:09
sp_Permalink sp_Print

The certificates are automatically created by the OPC UA stack.

I found the solution and proper configuration for running the server as a windows service. I’m going to outline my process, in case anyone who wants to do the same thing comes across this post.

One main difference to highlight is the fact that %LocalApplicationData% resolves to the special profile folder that is associated with the service. By default, a windows service logs on as “Local System” which means that %LocalApplicationData% will resolve to:

“C:\Windows\System32\config\systemprofile\AppData\Local”

That being said, CurrentUser/My cannot be used with this configuration, it will just silently fail to place the cert here. There may be a workaround here, but I haven’t found it as of yet. However, because the cert is still being placed in the trusted location, the client will still authenticate properly with the server upon connection.

If a X509 store must be used, LocalMachine/My should be used. A directory type store will also work just as well if you want to skip the windows cert stores. I chose LocalMachine/My for my implementation, but of course it depends on your need.

Now, finally since %LocalApplicationData% is no longer a reliable place to store the trusted/issuer/rejected certs, I’ve found that %CommonApplicationData% provides a nice alternative special folder location and will work just fine. Of course, you could use whatever directory you want, but wanted to provide that insight.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 47
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1445
Posts: 4889