"SignAndEncrypt" MessageSecurityMode and Certificates

Unified Architecture topics related to OPC UA Specification, compliant behavior and any technical issues of OPC UA, like Security, Information Model, Companion Specs DI, PLCopen, ADI, ...

Moderator: Support Team

Post Reply
ssmaung
Sr. Member
Sr. Member
Posts: 17
Joined: 09 Jun 2021, 11:42

"SignAndEncrypt" MessageSecurityMode and Certificates

Post by ssmaung »

Hello,
I am using "SignAndEncrypt" MessageSecurityMode and 'Anonymous' UserIdentityTokens.
I also set 'AutomaticallyTrustAllClientCertificates' = true.

In that case, it is still required to have server certificate to be in client's trusted list?
Based on my checking with simple client and server application, it seems it is still required.

Can you please answer why server certificate has to be in client's trusted list?
Thank you in advance.

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: "SignAndEncrypt" MessageSecurityMode and Certificates

Post by Support Team »

Hi,

in contrast to most Web applications, in OPC UA we have "both-sided" trust. This means that the server must trust the client, but the client must trust the server likewise, to be able to establish a secure connection.

If you use the (extremly dangerous) option on the serverside to "automatically trust all client certificates", this (of course) does not release you from trusting the server's cert on the clientside.

Note: the server-side option "AutoTrustAllClients" should never be used in production, it is meant to be used temporarily during e.g. initial commissioning only, and is quite handy for headless devices, but of course should be set "false" again thereafter.
Best regards
Unified Automation Support Team

ssmaung
Sr. Member
Sr. Member
Posts: 17
Joined: 09 Jun 2021, 11:42

Re: "SignAndEncrypt" MessageSecurityMode and Certificates

Post by ssmaung »

Thank you very much and appreciate for prompt reply. It is very valuable information.

Post Reply