Automatically trust all certificates

Questions regarding the use of the C++ SDK for Server or Client development or integration into customer products ...

Moderator: uasdkcpp

Post Reply
miyamae
Jr. Member
Jr. Member
Posts: 4
Joined: 12 Feb 2020, 11:29

Automatically trust all certificates

Post by miyamae »

Hi there,

how can I get the Server SDK to automatically accept all clients and not rejecting them?
There is an option to set "AutomaticallyTrustAllClientCertificates" to "true" in the configuration files , but client certificates are not be stored.
I want to store the certificate in trust folder.
Are there any other ways ?

Thanks in advance.

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Automatically trust all certificates

Post by Support Team »

Hi,

regarding security there are only two ways to do it: do it correct, or leave it.
If you want to trust all clients (in fact you ignore their certificates without even checking them), there is no need to store them, because they are not even looked at anyways. The "TrustAllClient" mode is switching fom the OPC UA double-side trust check into a single-side trust check (as of typical web applications). Your server will be "public" (for every client) available and should take user authentication into account instead. That said, the "TrustAllClient" is a very special use case and should not be used for regular OPC UA application scenarios.

The SDK will callback the application whenever a certificate is quarantained in the "rejected" folder, your application can decide what to do next.
Best regards
Unified Automation Support Team

bastian.schaller
Jr. Member
Jr. Member
Posts: 2
Joined: 15 May 2023, 06:19

Re: Automatically trust all certificates

Post by bastian.schaller »

Hi,

I just found this post.
The SDK will callback the application whenever a certificate is quarantained in the "rejected" folder, your application can decide what to do next.
Where can I find this callback?

Thanks,
Bastian

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Automatically trust all certificates

Post by Support Team »

Hello Bastian,

you can implement the Interface UaServer::secureChannelCertificateError() and then create an instance of your implementation via the Interface UaServerApplicationCallback::createUaServer().
Best regards
Unified Automation Support Team

bastian.schaller
Jr. Member
Jr. Member
Posts: 2
Joined: 15 May 2023, 06:19

Re: Automatically trust all certificates

Post by bastian.schaller »

Hi,

thanks for the reply.
UaServer::secureChannelCertificateError() is not virtual, so it cannot be overridden.
A UaServer* pointer from createUaServer() will always call UaServer::secureChannelCertificateError().

Or did I misunderstand the answer?

Thanks,
Bastian

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Automatically trust all certificates

Post by Support Team »

Hello Bastian,

apologies, we did not catch that. There is no callback. Usually there is no use case for that in an environment with a proper PKI infrastructure.
Best regards
Unified Automation Support Team

Post Reply