Page 1 of 1


Posted: 01 May 2019, 18:42

I'm attempting to set up a simple security certificate validation between a server and client on the same pc that allows for certification checking both ways (the client won't connect until validating the server and visa versa). I've used the OPC Foundation UA Configuration Tool to create a certificate for my server, and verified that the .der file is in the own/cert directory of its certificate store and the .pfx file is in the own/private directory. I've edited the App.config file of my server so that the only security policy is SecurityPolicy#Basic256Sha256:

Code: Select all


I'm trying to connect with UaExpert to this server. I've used the Configuration Tool to tell the server to trust the UaExpert application, and have verified that UaExpert's .der file appears in the trusted/cert directory of the server's certificate store.

When I open UaExpert and define a server, I set the enbpoint url to the right address/port, set the Security Policy to Basic256Sha256 and the Message Security Mode to Sign & Encrypt, and then under Authentication Settings I set the Certificate and Private to Key to the correct .der and .pfx files for the UaExpert. When I try to connect, it's unable and it prints out the error:

[uastack] OpcUa_SecureConnection_OnNotify: Connect event: ERROR 0x80050000!
[uastack] OpcUa_SecureConnection_OnNotify: Connect event: Notifying owner! 0x80050000
Could not connect to server: BadCommunicationError

On the other hand, if I compile the server so that it uses the SecurityPolicy#None policy instead, UaExpert asks me if it should trust the server, and when I say yes, it connects. I'm able to verify after this that the the server's .der has been copied to UaExpert's trusted list.

I need to be able to have the security check both ways, however, so I need to get past the BadCommunicataionError. Any suggestions?

Thanks in advance!

Re: BadCommunicationError

Posted: 17 Jun 2019, 14:30
by Support Team

you should not confuse Application Instance certificates with User certificates.
UaExpert creates its own self-signed certificate and private key on first start and uses this automatically when connecting using a secure policy.
There is no need to configured something in authentication settings.
The Application Instance certificate is used to establish the secure channel.

Authentication settings are there for authenticating the user, which creates the session.
This can be done using Anonymous, Username/Password and X509 certificates (user certificates).

In both cases UaExpert expects certificates in DER format and private keys in PEM format.
pfx is not supported.

Please have a look at the documentation here: http://documentation.unified-automation ... nnect.html
which explains this in more detail.