Page 1 of 1

"SignAndEncrypt" MessageSecurityMode and Certificates

Posted: 09 Jun 2021, 12:09
by ssmaung
Hello,
I am using "SignAndEncrypt" MessageSecurityMode and 'Anonymous' UserIdentityTokens.
I also set 'AutomaticallyTrustAllClientCertificates' = true.

In that case, it is still required to have server certificate to be in client's trusted list?
Based on my checking with simple client and server application, it seems it is still required.

Can you please answer why server certificate has to be in client's trusted list?
Thank you in advance.

Re: "SignAndEncrypt" MessageSecurityMode and Certificates

Posted: 09 Jun 2021, 12:47
by Support Team
Hi,

in contrast to most Web applications, in OPC UA we have "both-sided" trust. This means that the server must trust the client, but the client must trust the server likewise, to be able to establish a secure connection.

If you use the (extremly dangerous) option on the serverside to "automatically trust all client certificates", this (of course) does not release you from trusting the server's cert on the clientside.

Note: the server-side option "AutoTrustAllClients" should never be used in production, it is meant to be used temporarily during e.g. initial commissioning only, and is quite handy for headless devices, but of course should be set "false" again thereafter.

Re: "SignAndEncrypt" MessageSecurityMode and Certificates

Posted: 09 Jun 2021, 15:08
by ssmaung
Thank you very much and appreciate for prompt reply. It is very valuable information.