Update Server Certificate
Moderator: uasdkcpp
-
- Sr. Member
- Posts: 12
- Joined: 02 Mar 2023, 13:41
Update Server Certificate
I have a question regarding an certificate update of the OpcUa Server.
When the certificate of an endpoint, stored in an OpenSSL store, is changed (e.g. it will expire soon), does the UaServerApplication handle this on it's own or do I have to call UaEndpoint::loadCertificate() for every endpoint?
Or do I have to do something completely different?
Kind regards,
Thomas
When the certificate of an endpoint, stored in an OpenSSL store, is changed (e.g. it will expire soon), does the UaServerApplication handle this on it's own or do I have to call UaEndpoint::loadCertificate() for every endpoint?
Or do I have to do something completely different?
Kind regards,
Thomas
-
- Sr. Member
- Posts: 12
- Joined: 02 Mar 2023, 13:41
Re: Update Server Certificate
Hi,
do you have any advice for me?
Kind regards,
Thomas
do you have any advice for me?
Kind regards,
Thomas
- Support Team
- Hero Member
- Posts: 3078
- Joined: 18 Mar 2011, 15:09
Re: Update Server Certificate
You can use methods provided on the UaServerApplication for that purpose.
The sequence is:
- pauseUaServer()
- exchange the server certificate annd private key in the OpenSSL file store
- restartUaServer()
That will keep all sessions and subscriptions running and just restart all Endpoint. So a client will get a short interruption, create a new SecureChannel and continue to work on the existing session.
The sequence is:
- pauseUaServer()
- exchange the server certificate annd private key in the OpenSSL file store
- restartUaServer()
That will keep all sessions and subscriptions running and just restart all Endpoint. So a client will get a short interruption, create a new SecureChannel and continue to work on the existing session.
Best regards
Unified Automation Support Team
Unified Automation Support Team
-
- Sr. Member
- Posts: 12
- Joined: 02 Mar 2023, 13:41
Re: Update Server Certificate
Hi,
I've tried to implement this.
To verify the result I added a log message to my client that prints out the thumbprint of the ServerCertificate as follows:
My test goes as follows:
1. I exchange certificate and private key files on the HDD
2. pauseUaServer()
3. restartUaServer()
I can't pause the server first, then update the files and then restart it. As the certificate is issued with an external process.
But the printed thumbPrint() is still the one of the previous certificate. When I restart my OPCuA server application, the printed thumbprint is the one of the new certificate.
Do I have to exchange the certificate and key programmatically? But I can't find a way to do this...
I'm testing with version 1.8.1.
I've tried to implement this.
To verify the result I added a log message to my client that prints out the thumbprint of the ServerCertificate as follows:
Code: Select all
uaSession = new UaSession();
...
UaPkiCertificate::fromDER(uaSession->serverCertificate()).thumbPrint();
1. I exchange certificate and private key files on the HDD
2. pauseUaServer()
3. restartUaServer()
I can't pause the server first, then update the files and then restart it. As the certificate is issued with an external process.
But the printed thumbPrint() is still the one of the previous certificate. When I restart my OPCuA server application, the printed thumbprint is the one of the new certificate.
Do I have to exchange the certificate and key programmatically? But I can't find a way to do this...
I'm testing with version 1.8.1.
- Support Team
- Hero Member
- Posts: 3078
- Joined: 18 Mar 2011, 15:09
Re: Update Server Certificate
Hello Thomas,
Is that the state after restarting the server with pauseUaServer() and restartUaServer()?But the printed thumbPrint() is still the one of the previous certificate
Best regards
Unified Automation Support Team
Unified Automation Support Team
-
- Sr. Member
- Posts: 12
- Joined: 02 Mar 2023, 13:41
Re: Update Server Certificate
Yes
My next plan is to write a minimal reproducer. But I haven't done it yet.
Do you have a working example?
My next plan is to write a minimal reproducer. But I haven't done it yet.
Do you have a working example?
-
- Sr. Member
- Posts: 12
- Joined: 02 Mar 2023, 13:41
Re: Update Server Certificate
I now have a minimal example with which I can reproduce my Problem. It is based on the examples from the SDK. Am I allowed to post my complete server and client code here?
- Support Team
- Hero Member
- Posts: 3078
- Joined: 18 Mar 2011, 15:09
Re: Update Server Certificate
Hello Thomas,
sharing / exchanging code here is not really nice to handle. Can you please open a support request for that issue (https://webdav.unifiedautomation.com/support/support_form.html). We can then share the results / insight here.
sharing / exchanging code here is not really nice to handle. Can you please open a support request for that issue (https://webdav.unifiedautomation.com/support/support_form.html). We can then share the results / insight here.
Best regards
Unified Automation Support Team
Unified Automation Support Team
-
- Sr. Member
- Posts: 12
- Joined: 02 Mar 2023, 13:41
Re: Update Server Certificate
Thanks for your response to my support request.
The following code snippet is working:
Where pServer is the UaServerApplication.
The following code snippet is working:
Code: Select all
pServer->pauseUaServer()
for (int i = 0;; i++) {
UaEndpoint *ep = pServer->getEndpoint(i);
if (ep == NULL) break;
ep->pEndpointCertificateSettings()->m_isCertificateLoaded = false;
}
pServer->restartUaServer()