Issues when connecting with CA-signed certificate

Questions regarding the use of the C++ SDK for Server or Client development or integration into customer products ...

Moderator: uasdkcpp

Post Reply
Rwwv9
Jr. Member
Jr. Member
Posts: 2
Joined: 26 Apr 2022, 16:01

Issues when connecting with CA-signed certificate

Post by Rwwv9 »

Hi all,

I am having issues to connect to the C++ based OPC UA SDK server when using a CA-signed certificate for the client. The channel is closed by the server with a BadSecurityChecksFailed error. As a client, I use the reference implementation from the OPC Foundation (.NET SDK).

I have put the CA certificate in the "trusted/certs/" folder and the CRL in the "trusted/crl/" folder. Disabling all security checks in the "SecurityCheckOverwrites" config section didn't help either. Only when setting "AutomaticallyTrustAllClientCertificates" to "true", I can connect (but I don't want to automatically trust all clients).

Here are a detailed view of the CA certificates. Due to message length restriction, the client certificate is in the next post.

> openssl x509 -inform der -text -in ca.der

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            79:93:8e:4d:1b:3c:b7:8c:f8:51:80:f7:56:b3:ab:c2:e5:e9:ae:14
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = OPC Foundation, CN = IOP-2018 CA
        Validity
            Not Before: Feb 15 15:18:00 2022 GMT
            Not After : Feb 13 15:18:00 2032 GMT
        Subject: O = OPC Foundation, CN = IOP-2018 CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    [OMITTED DUE TO MSG LENGTH RESTRICTION]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                8B:4A:FD:F9:40:66:C9:DB:19:A6:7B:31:50:A3:AC:38:AF:8A:5E:87
            X509v3 Authority Key Identifier:
                keyid:8B:4A:FD:F9:40:66:C9:DB:19:A6:7B:31:50:A3:AC:38:AF:8A:5E:87

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
           [...]
> openssl crl -inform der -in ca.crl -text

Code: Select all

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = OPC Foundation, CN = IOP-2018 CA
        Last Update: Feb 15 15:18:00 2022 GMT
        Next Update: Feb 13 15:18:00 2032 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:8B:4A:FD:F9:40:66:C9:DB:19:A6:7B:31:50:A3:AC:38:AF:8A:5E:87

            X509v3 CRL Number:
                1
No Revoked Certificates.
    Signature Algorithm: sha256WithRSAEncryption
           [...]
Do you have an idea why the client certificate check fails?

Best regards
Last edited by Rwwv9 on 27 Apr 2022, 08:22, edited 1 time in total.
Top
Rwwv9
Jr. Member
Jr. Member
Posts: 2
Joined: 26 Apr 2022, 16:01

Re: Issues when connecting with CA-signed certificate

Post by Rwwv9 »

Due to message length restriction, I couldn't include the client certificate in the previous message. Here the client cert:

> openssl x509 -inform der -in client.der -text

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            41:bc:88:dd:ad:ba:e4:a4:90:15
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = OPC Foundation, CN = IOP-2018 CA
        Validity
            Not Before: Apr 25 00:00:00 2022 GMT
            Not After : Apr 25 00:00:00 2024 GMT
        Subject: DC = deployment-649dd48844-s7bpk, O = Organization, CN = OPC-UA-Custodian
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    [OMITTED DUE TO MSG LENGTH RESTRICTION]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                84:12:22:56:A8:9F:21:B4:83:6C:B0:25:E9:10:D8:BE:D1:C0:BA:17
            X509v3 Authority Key Identifier:
                keyid:8B:4A:FD:F9:40:66:C9:DB:19:A6:7B:31:50:A3:AC:38:AF:8A:5E:87
                DirName:/O=OPC Foundation/CN=IOP-2018 CA
                serial:79:93:8E:4D:1B:3C:B7:8C:F8:51:80:F7:56:B3:AB:C2:E5:E9:AE:14

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: critical
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                URI:urn:deployment-649dd48844-s7bpk:OPC-UA-Custodian, DNS:deployment-649dd48844-s7bpk
    Signature Algorithm: sha256WithRSAEncryption
           [...]
Top
Post Reply

Return to “C++ based OPC UA SDK”