Worfklow for using custom CA with the client/server|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Worfklow for using custom CA with the client/server
Avatar
matej skerjanc
Member
Members
Forum Posts: 3
Member Since:
10/15/2021
sp_UserOfflineSmall Offline
1
10/15/2021 - 02:49
sp_Permalink sp_Print

Hello

I was just thrown into the world of OPC UA. I got a .net client in my hands now (a simple console) which connects to OPC ua server.

All fine so far, the issue is that I dont want to approve certificates on the server side, so I created – with the help of openssl – a CA and another cert which is signed by this CA. I put the client certificate into the CurrentUser\My store path and it is read which is fine. But the certificate is always invalid (certificateValid variable is false). Where should i put the CA keys to? If I put it to trusted issuer store (in my case a directory “UA Certificate Authorities”) it doesnt even recognize it. Is there a special form it has to be in or different directory? The documentation what i found is a wee vague regarding use of CA. 

Any help in the right direction is appreciated! Even pointing to useful documentation

 

Best regards

 

p.s. Not using the discovery server

Avatar
Randy Armstrong
Admin
Forum Posts: 1579
Member Since:
05/30/2017
sp_UserOnlineSmall Online
2
10/15/2021 - 12:12
sp_Permalink sp_Print

You can’t use a CA without a CRL.

Did you create one?

Avatar
matej skerjanc
Member
Members
Forum Posts: 3
Member Since:
10/15/2021
sp_UserOfflineSmall Offline
3
10/21/2021 - 22:41
sp_Permalink sp_Print sp_EditHistory

Sorry for slow response I got issues logging in..

Anyway yes since my post I’ve created CRL, my cert is still not valid for some reason. (As per ca csr config i host it on some http://localhost:8000/intermed…..te.crl.pem). I faked it in code so it marks it as valid and then I manage to make it work with prosys simulator.

But i have to copy crl manually to the directory crl and ofcourse rootCA public key (../PKI/CA/crl and ../PKI/CA/certs accordingly).

 

But I cannot make it work with kepserverEx it always marks as untrusted. I dont know where to put crl and root ca for kepserver though. Google has not been fruitful in this regards.

Thank you for the help Randy!

Avatar
matej skerjanc
Member
Members
Forum Posts: 3
Member Since:
10/15/2021
sp_UserOfflineSmall Offline
4
10/25/2021 - 21:54
sp_Permalink sp_Print

Just to follow up on update

I’ve manage to make it work apparently my root CA was a bit off. Thank you for your time! 

p.s. doesnt look like kepserver demands CLR per se

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online: Randy Armstrong
Guest(s) 52
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1445
Posts: 4889