I am having issues to connect to the C++ based OPC UA SDK server when using a CA-signed certificate for the client. The channel is closed by the server with a BadSecurityChecksFailed error. As a client, I use the reference implementation from the OPC Foundation (.NET SDK).
I have put the CA certificate in the "trusted/certs/" folder and the CRL in the "trusted/crl/" folder. Disabling all security checks in the "SecurityCheckOverwrites" config section didn't help either. Only when setting "AutomaticallyTrustAllClientCertificates" to "true", I can connect (but I don't want to automatically trust all clients).
Here are a detailed view of the CA certificates. Due to message length restriction, the client certificate is in the next post.
> openssl x509 -inform der -text -in ca.der
Code: Select all
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
79:93:8e:4d:1b:3c:b7:8c:f8:51:80:f7:56:b3:ab:c2:e5:e9:ae:14
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = OPC Foundation, CN = IOP-2018 CA
Validity
Not Before: Feb 15 15:18:00 2022 GMT
Not After : Feb 13 15:18:00 2032 GMT
Subject: O = OPC Foundation, CN = IOP-2018 CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
[OMITTED DUE TO MSG LENGTH RESTRICTION]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
8B:4A:FD:F9:40:66:C9:DB:19:A6:7B:31:50:A3:AC:38:AF:8A:5E:87
X509v3 Authority Key Identifier:
keyid:8B:4A:FD:F9:40:66:C9:DB:19:A6:7B:31:50:A3:AC:38:AF:8A:5E:87
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
[...]
Code: Select all
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = OPC Foundation, CN = IOP-2018 CA
Last Update: Feb 15 15:18:00 2022 GMT
Next Update: Feb 13 15:18:00 2032 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:8B:4A:FD:F9:40:66:C9:DB:19:A6:7B:31:50:A3:AC:38:AF:8A:5E:87
X509v3 CRL Number:
1
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption
[...]
Best regards