Unified Automation Forum

Customer support forum for Unified Automation products and OPC UA technology in general
https://forum.unified-automation.com:443/

[CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

https://forum.unified-automation.com:443/viewtopic.php?f=14&t=8056

Page 1 of 1

[CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

Posted: 15 May 2023, 06:11
by piorek204
Hello,
I'm trying to do "Provisioning with Push model" for the OPC UA server. However, I have an issue when I provide a CA root certificate (the certificate with which my client is signed and the server will be signed), I get an error from the server that the Certificate Revocation List (CRL) is missing. Everything works as expected when I manually add the CRL to the server's Trust List. My problem is that I cannot add a CRL using the API (PUSH model). Is there a method in the server with which I can upload CRLs to the server's Trust List?

Re: [CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

Posted: 15 May 2023, 08:38
by Support Team
Hi,

the PUSH API has the ability to download the CRL into the server, same as the Trustlist. There is a bit mask that tells you if certificate or revocation is comming. So no, there is not extra API call, but there is a way to push the CRL (together with all the other trusted certs). Thre is no need to "copy sideways", you can PUSH the CA signed cert together with the CRL (you must have CRL even though it is empty).

Re: [CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

Posted: 15 May 2023, 09:44
by piorek204
please bare with me but I still can't do it. Could you please point me in the documentation on which function I should use? To add to the trusted list, I use this https://reference.opcfoundation.org/GDS/v104/docs/7.5.5 but in there I can't see any bitmask other than "isTrustedCertificate". It works for certificates but not for CRL in my case. When I call this function with CRL using UAExpert, the function returns "Success" but still the CRL does not go to the server.

Re: [CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

Posted: 15 May 2023, 10:24
by Support Team
Hi,
see here:
https://reference.opcfoundation.org/GDS/v104/docs/7.5.2
The bit masks in TrustListDataType structure allow the Client to only update part of the Trust List.
Note: the UaExpert (GDS Push Plugin) can not download/push CRL (just AddCertificate), however you can use the UaGDS for testing, it is pushing both, the CA sigend cert and the CA signed CRL.

Re: [CRL] How to upload/update Certificate Revocation List using Push Model in OPC UA server.

Posted: 15 May 2023, 11:05
by piorek204
OK, I got it. My mistake was that I was opening TrustList in the wrong mode, to write mode must be 0x06.
So my flow looks like this:
- Call Open method on TrustList with mode 0x06
- Call Write TrustListDataType (converted to binary) with CRL
- Call Close and Update on TrustList

It's work! thanks for your help:)
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited