Page 1 of 1
Update Server Certificate
Posted: 11 Apr 2023, 08:30
by ThomasZ
I have a question regarding an certificate update of the OpcUa Server.
When the certificate of an endpoint, stored in an OpenSSL store, is changed (e.g. it will expire soon), does the UaServerApplication handle this on it's own or do I have to call UaEndpoint::loadCertificate() for every endpoint?
Or do I have to do something completely different?
Kind regards,
Thomas
Re: Update Server Certificate
Posted: 26 Jul 2023, 12:52
by ThomasZ
Hi,
do you have any advice for me?
Kind regards,
Thomas
Re: Update Server Certificate
Posted: 26 Jul 2023, 15:25
by Support Team
You can use methods provided on the UaServerApplication for that purpose.
The sequence is:
- pauseUaServer()
- exchange the server certificate annd private key in the OpenSSL file store
- restartUaServer()
That will keep all sessions and subscriptions running and just restart all Endpoint. So a client will get a short interruption, create a new SecureChannel and continue to work on the existing session.
Re: Update Server Certificate
Posted: 15 Aug 2023, 08:49
by ThomasZ
Hi,
I've tried to implement this.
To verify the result I added a log message to my client that prints out the thumbprint of the ServerCertificate as follows:
Code: Select all
uaSession = new UaSession();
...
UaPkiCertificate::fromDER(uaSession->serverCertificate()).thumbPrint();
My test goes as follows:
1. I exchange certificate and private key files on the HDD
2. pauseUaServer()
3. restartUaServer()
I can't pause the server first, then update the files and then restart it. As the certificate is issued with an external process.
But the printed thumbPrint() is still the one of the previous certificate. When I restart my OPCuA server application, the printed thumbprint is the one of the new certificate.
Do I have to exchange the certificate and key programmatically? But I can't find a way to do this...
I'm testing with version 1.8.1.
Re: Update Server Certificate
Posted: 26 Sep 2023, 09:19
by Support Team
Hello Thomas,
But the printed thumbPrint() is still the one of the previous certificate
Is that the state after restarting the server with pauseUaServer() and restartUaServer()?
Re: Update Server Certificate
Posted: 26 Sep 2023, 09:29
by ThomasZ
Yes
My next plan is to write a minimal reproducer. But I haven't done it yet.
Do you have a working example?
Re: Update Server Certificate
Posted: 30 Oct 2023, 15:43
by ThomasZ
I now have a minimal example with which I can reproduce my Problem. It is based on the examples from the SDK. Am I allowed to post my complete server and client code here?
Re: Update Server Certificate
Posted: 06 Nov 2023, 17:21
by Support Team
Hello Thomas,
sharing / exchanging code here is not really nice to handle. Can you please open a support request for that issue (https://webdav.unifiedautomation.com/support/support_form.html). We can then share the results / insight here.
Re: Update Server Certificate
Posted: 10 Nov 2023, 09:17
by ThomasZ
Thanks for your response to my support request.
The following code snippet is working:
Code: Select all
pServer->pauseUaServer()
for (int i = 0;; i++) {
UaEndpoint *ep = pServer->getEndpoint(i);
if (ep == NULL) break;
ep->pEndpointCertificateSettings()->m_isCertificateLoaded = false;
}
pServer->restartUaServer()
Where pServer is the UaServerApplication.