Hi,
We generate with our CA private/public keys X.509 and CRL for our OPCUA server and also to UaExpert.
Server allows only Basic256Sha256 SecutityPolicy.
We use also "normal" certificate to identify client against server.
But when we connect from UaExpert, we have issue:
ExtendedKeyUsage of the server certificate does not contain TLS Web Servera uthentication: See snapshot.
C:\Users\FR21699\Downloads\TLSIssue-1.png
On UaExpert we must validate ignore like in snapshot.
Why is it necessary to activate TLS Web Servera uthentication in server certicate key usage in our case?
Thank's for your response.
=> can't add easily snapshot :-(
Why error "ExtendedKeyUsage of the server certificate does not contain TLS Web Server authentication"
Moderator: uasdkcpp
-
franck.etienne
- Sr. Member
- Posts: 16
- Joined: 01 Jun 2016, 13:08
-
Support Team
- Hero Member
- Posts: 3072
- Joined: 18 Mar 2011, 15:09
Re: Why error "ExtendedKeyUsage of the server certificate does not contain TLS Web Server authentication"
Hi,
the extended key usage is mandatory in OPC UA. Any UA Servers's certificate must have the "server usage" flag (and can have client usage in addition). And every UA Client's certificate must have the "client usage" flag in the extended key (and can have server flag in addition, in case the client is both, client and server at the same time, e.g. gateway, aggregating).
Now if UaExpert connects to a server and the server's cert says "this cert is for client usage only" or the cert does not have the extented usage flag set at all, the UaExpert correctly reports the potential issue to the user.
the extended key usage is mandatory in OPC UA. Any UA Servers's certificate must have the "server usage" flag (and can have client usage in addition). And every UA Client's certificate must have the "client usage" flag in the extended key (and can have server flag in addition, in case the client is both, client and server at the same time, e.g. gateway, aggregating).
Now if UaExpert connects to a server and the server's cert says "this cert is for client usage only" or the cert does not have the extented usage flag set at all, the UaExpert correctly reports the potential issue to the user.
Best regards
Unified Automation Support Team
Unified Automation Support Team
-
franck.etienne
- Sr. Member
- Posts: 16
- Joined: 01 Jun 2016, 13:08
Re: Why error "ExtendedKeyUsage of the server certificate does not contain TLS Web Server authentication"
Thank's for your response but we add next keys usage in our server certificate : Digital signature, Key encyphement, Data encyphement, key agreement and Certificate signature.
I want to know why TLS Web Server is require while we only used policy Basic256Sha256 ?
I want to know why TLS Web Server is require while we only used policy Basic256Sha256 ?
-
Support Team
- Hero Member
- Posts: 3072
- Joined: 18 Mar 2011, 15:09
Re: Why error "ExtendedKeyUsage of the server certificate does not contain TLS Web Server authentication"
Hi,
there is nothing like "TLS Web Server authentication", this sounds like some arbitraty tool has given the "Enhanced Key Usage" some name, but is not what OPC UA has defined and is looking for. Make sure you create the correct key usage, conformant to the specification. Easiest way is using our SDK:
there is nothing like "TLS Web Server authentication", this sounds like some arbitraty tool has given the "Enhanced Key Usage" some name, but is not what OPC UA has defined and is looking for. Make sure you create the correct key usage, conformant to the specification. Easiest way is using our SDK:
- Server Authentication (1.3.6.1.5.5.7.3.1)
- Client Authentication (1.3.6.1.5.5.7.3.2)
Best regards
Unified Automation Support Team
Unified Automation Support Team