UaGateway V1.5.4 same certificate is trusted and untrusted

[ChristophBellmann]

I am trying to connecting to the UaGateway with following encryption settings:

Basic256Sha256, SignAndEncrypt.

I am using various OPCUA Clients, here for example TwinCAT OPC UA Sample Client.


When connecting for the first time, the Clients certificate shows up in the UaGateway "certificates" section.
As i trust the certificate, the status of that certificate switches to "Trusted" and everything seems fine.

But then something weired happens, when i connect the second time:

The same certificate shows up again as untrusted (in the "certificates" section), and i cannot connect.
Also, i cannot set it to trusted (again?). The error message is: "Could not move certificate (...) to the trusted directory."

When i check that directory, i see that this certificate file is located there correctly.


To note: With UaExpert, this does not happen. There, once trusted, a certificate does not appear again as untrusted.
Also, i didnt experience this problem with the prior version of UaGateway.


Please help me, i need to connect to the UaGateway with a third party client!

Thank you very much in advance,

best regards
Christoph Bellmann

[Support Team]

Hi Christoph,

First you should check the certificate, is seems that the UaGateway can not uniquely identify the Certificate, hence assumes that it is a "new" certificate (and adds it as "untrusted").

The Certificate (content) may not comply to the OPC Foundation specification.

[tgrusendorf]

Posting additional information for others who may run into this problem.

There is a known issue with Honeywell Experion R51x which results in this behaviour. The certificates generated by Experion do not include the 'Data Encipherment' key usage that they should. The workaround is to generate your own certificates.

Reference Honeywell Knowledge Article 000140857.

[Support Team]

Hi,

first to clarify which "side" of the UaGateway we are talking about. The UaGateway has two sides, each side has its own (separate) certificate store.

North Pole: the UaGateway is UA-Server. UaExpert and other client connect to north side of UaGateway
--> Certificate store is managed/controled via "Administration Dialog" -> "Certificates" tab
(this is the one the originator of this thread talks about)

South Pole: the UaGateway is UA-Client. and connects to underlying servers located south of gateway.
--> Certificate store is not visible, southbound certificates are "implicitely" trusted when first time configuring underlying connection to the particular server, using the "Configuration Tool".

The Configuration Tool has (similar to UaExpert) its own certificate store, however this is just for Configuration Tool itself and has nothing to do with UaGateway application.

The reported issue on the "north pole" can have two reasons: firstly may be caused by insufficient rights on the hard drive "could not move certificate" (move means copy and delete). But "Administration Tool" should be started with elevated rights. Secondly the certificate to be moved, could not uniquely be identified, caused by its content. By this UaGateway assumes each time being connected that this is some "new" Client, trying to connect on the north pole, hence will quarantaine the certificate again and again.

Solution: there have been multiple bugfixes to the v1.5.4, you should update to latest UaGateway immediately. Make sure that the certificate of the UA client connecting to the north pole, complies with the OPC UA Specification, having all fields/content set correctly.