I have a server based on the server_cpp_demo example project in the cppsdkbundle. I changed it to use certificate-based authentication. I am manually configuring the client certificates with the server. I'll use the LDS server after i have this working.
I don't understand a behavior that I see. I can create a certificate using the UaExpert Manage Certificates dialog and copy the .der file to the server at locations [ConfigPath]/pkiuser/trusted/certs/ and also into folder [ConfigPath]/pkiserver/trusted/certs/. This configuration works.
But if I remove the .DER file from either one of those folders, authentication does not work. it must be in both folders for the client to authenticate.
I don't expect the server to require the same cert in two folders. What am i missing?
Note that in the future I plan to push certificates onto the server using GDS.
certificate folders for a server
Moderator: Support Team
- Support Team
- Hero Member
- Posts: 3068
- Joined: 18 Mar 2011, 15:09
Re: certificate folders for a server
Hi tjohnston,
there are 2 different certificates stores you mentioned here:
/pkiserver/trusted/certs:
This is the store where you trust ApplicationInstance Certificates. So any UA Client that wants to connect with security needs to be trusted in that store.
/pkiuser/trusted/certs:
This is the store to trust used certificates. That means a client can have different users that authenticate. In this step the user gets one or more Roles assigned. A Role defines the permissions a user has for certain operations (e.g. Browse, Read, Write, ..). To authenticate UA defines different types of Tokens e.g. Username/Passwort, Certificate, issue token.
As long as you don't use user authentication you just need to put the UaExpert certificate in the /pkiserver/trusted/certs store.
there are 2 different certificates stores you mentioned here:
/pkiserver/trusted/certs:
This is the store where you trust ApplicationInstance Certificates. So any UA Client that wants to connect with security needs to be trusted in that store.
/pkiuser/trusted/certs:
This is the store to trust used certificates. That means a client can have different users that authenticate. In this step the user gets one or more Roles assigned. A Role defines the permissions a user has for certain operations (e.g. Browse, Read, Write, ..). To authenticate UA defines different types of Tokens e.g. Username/Passwort, Certificate, issue token.
As long as you don't use user authentication you just need to put the UaExpert certificate in the /pkiserver/trusted/certs store.
Best regards
Unified Automation Support Team
Unified Automation Support Team