Update Server Certificate

Questions regarding the use of the C++ SDK for Server or Client development or integration into customer products ...

Moderator: uasdkcpp

Post Reply
ThomasZ
Sr. Member
Sr. Member
Posts: 12
Joined: 02 Mar 2023, 13:41

Update Server Certificate

Post by ThomasZ »

I have a question regarding an certificate update of the OpcUa Server.

When the certificate of an endpoint, stored in an OpenSSL store, is changed (e.g. it will expire soon), does the UaServerApplication handle this on it's own or do I have to call UaEndpoint::loadCertificate() for every endpoint?
Or do I have to do something completely different?

Kind regards,
Thomas

ThomasZ
Sr. Member
Sr. Member
Posts: 12
Joined: 02 Mar 2023, 13:41

Re: Update Server Certificate

Post by ThomasZ »

Hi,
do you have any advice for me?

Kind regards,
Thomas

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Update Server Certificate

Post by Support Team »

You can use methods provided on the UaServerApplication for that purpose.
The sequence is:
- pauseUaServer()
- exchange the server certificate annd private key in the OpenSSL file store
- restartUaServer()

That will keep all sessions and subscriptions running and just restart all Endpoint. So a client will get a short interruption, create a new SecureChannel and continue to work on the existing session.
Best regards
Unified Automation Support Team

ThomasZ
Sr. Member
Sr. Member
Posts: 12
Joined: 02 Mar 2023, 13:41

Re: Update Server Certificate

Post by ThomasZ »

Hi,
I've tried to implement this.
To verify the result I added a log message to my client that prints out the thumbprint of the ServerCertificate as follows:

Code: Select all

uaSession = new UaSession();
...
UaPkiCertificate::fromDER(uaSession->serverCertificate()).thumbPrint();
My test goes as follows:
1. I exchange certificate and private key files on the HDD
2. pauseUaServer()
3. restartUaServer()

I can't pause the server first, then update the files and then restart it. As the certificate is issued with an external process.

But the printed thumbPrint() is still the one of the previous certificate. When I restart my OPCuA server application, the printed thumbprint is the one of the new certificate.

Do I have to exchange the certificate and key programmatically? But I can't find a way to do this...
I'm testing with version 1.8.1.

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Update Server Certificate

Post by Support Team »

Hello Thomas,
But the printed thumbPrint() is still the one of the previous certificate
Is that the state after restarting the server with pauseUaServer() and restartUaServer()?
Best regards
Unified Automation Support Team

ThomasZ
Sr. Member
Sr. Member
Posts: 12
Joined: 02 Mar 2023, 13:41

Re: Update Server Certificate

Post by ThomasZ »

Yes

My next plan is to write a minimal reproducer. But I haven't done it yet.

Do you have a working example?

ThomasZ
Sr. Member
Sr. Member
Posts: 12
Joined: 02 Mar 2023, 13:41

Re: Update Server Certificate

Post by ThomasZ »

I now have a minimal example with which I can reproduce my Problem. It is based on the examples from the SDK. Am I allowed to post my complete server and client code here?

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Update Server Certificate

Post by Support Team »

Hello Thomas,

sharing / exchanging code here is not really nice to handle. Can you please open a support request for that issue (https://webdav.unifiedautomation.com/support/support_form.html). We can then share the results / insight here.
Best regards
Unified Automation Support Team

ThomasZ
Sr. Member
Sr. Member
Posts: 12
Joined: 02 Mar 2023, 13:41

Re: Update Server Certificate

Post by ThomasZ »

Thanks for your response to my support request.

The following code snippet is working:

Code: Select all

pServer->pauseUaServer()
for (int i = 0;; i++) {
       UaEndpoint *ep = pServer->getEndpoint(i);
       if (ep == NULL) break;
       ep->pEndpointCertificateSettings()->m_isCertificateLoaded = false;
}
pServer->restartUaServer()
Where pServer is the UaServerApplication.

Post Reply