[CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

Unified Architecture topics related to OPC UA Specification, compliant behavior and any technical issues of OPC UA, like Security, Information Model, Companion Specs DI, PLCopen, ADI, ...

Moderator: Support Team

Post Reply
piorek204
Jr. Member
Jr. Member
Posts: 3
Joined: 15 May 2023, 05:26

[CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

Post by piorek204 »

Hello,
I'm trying to do "Provisioning with Push model" for the OPC UA server. However, I have an issue when I provide a CA root certificate (the certificate with which my client is signed and the server will be signed), I get an error from the server that the Certificate Revocation List (CRL) is missing. Everything works as expected when I manually add the CRL to the server's Trust List. My problem is that I cannot add a CRL using the API (PUSH model). Is there a method in the server with which I can upload CRLs to the server's Trust List?

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: [CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

Post by Support Team »

Hi,

the PUSH API has the ability to download the CRL into the server, same as the Trustlist. There is a bit mask that tells you if certificate or revocation is comming. So no, there is not extra API call, but there is a way to push the CRL (together with all the other trusted certs). Thre is no need to "copy sideways", you can PUSH the CA signed cert together with the CRL (you must have CRL even though it is empty).
Best regards
Unified Automation Support Team

piorek204
Jr. Member
Jr. Member
Posts: 3
Joined: 15 May 2023, 05:26

Re: [CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

Post by piorek204 »

please bare with me but I still can't do it. Could you please point me in the documentation on which function I should use? To add to the trusted list, I use this https://reference.opcfoundation.org/GDS/v104/docs/7.5.5 but in there I can't see any bitmask other than "isTrustedCertificate". It works for certificates but not for CRL in my case. When I call this function with CRL using UAExpert, the function returns "Success" but still the CRL does not go to the server.

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: [CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

Post by Support Team »

Hi,
see here:
https://reference.opcfoundation.org/GDS/v104/docs/7.5.2
The bit masks in TrustListDataType structure allow the Client to only update part of the Trust List.
Note: the UaExpert (GDS Push Plugin) can not download/push CRL (just AddCertificate), however you can use the UaGDS for testing, it is pushing both, the CA sigend cert and the CA signed CRL.
Best regards
Unified Automation Support Team

piorek204
Jr. Member
Jr. Member
Posts: 3
Joined: 15 May 2023, 05:26

Re: [CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

Post by piorek204 »

OK, I got it. My mistake was that I was opening TrustList in the wrong mode, to write mode must be 0x06.
So my flow looks like this:
- Call Open method on TrustList with mode 0x06
- Call Write TrustListDataType (converted to binary) with CRL
- Call Close and Update on TrustList

It's work! thanks for your help:)

Post Reply