Does UaExpert not verify AICs using IssuerCerts?

Questions regarding the use of the UaExpert.

Moderator: uaexpert

Post Reply
tommys
Hero Member
Hero Member
Posts: 25
Joined: 03 Oct 2023, 16:42

Does UaExpert not verify AICs using IssuerCerts?

Post by tommys »

Hi,

I have an OPC UA Server which has an Application Instance Certificate that was issued and signed by a CA. The CA certificate has been added to UaExperts IssuerCerts list in its Manage Certificate settings.

However, when UaExpert connects to the OPC UA Server it shows an Error: ok [BadCertificateUntrusted]!?

In the Certificate Chain box, the CA cert is shown on top and it is marked with a green checkbox. Under the CA cert in this chain list is the AIC shown with a red mark indicating an error. I thought UaExpert would use the CA cert to verify the AIC's signature and automatically trust it. However, that seems not to be the case!? Do I really have to add that AIC explicitly to UaExpert? Or is there a setting somewhere in UaExpert that I have to enable for UaExpert to verify AICs using certificate chains?

Regards,
/Tommy

User avatar
Support Team
Hero Member
Hero Member
Posts: 3112
Joined: 18 Mar 2011, 15:09

Re: Does UaExpert not verify AICs using IssuerCerts?

Post by Support Team »

Hi,

to verify a chain the UaExpert will need 3 files (two public keys and one file).

1) the end-entity (typically transferred during GetEndpoints, during connection establishment)
--> must be "trusted" (located in "trusted/certs" store)

2) the CA PubKey which has signed the above end-entity (some server can transfer, if not must copy)
--> must be "known but untrusted issuer" (located in "issuers/certs" store)

3) the CRL corresponding to the above CA (can not be transfered during connection establishment, must copy manually)
--> must be "known issuer's CRL" (located in "issuers/crl")

In this case the end-entity is trusted, but the information to validate/complete chain is known (but untrusted).

Alternatively you can also "trust" the CA/CRL and in that case do not need to trust the end-entity explicitely, however will trust "anything" that was issued/sigend by this CA.

To get this managed (automatically) the tool UaGDS exst in our download area. Which is a CA in itself and (if supported by server and client), can sign and roll out the trust and recocation list of all managed applications.
Best regards
Unified Automation Support Team

tommys
Hero Member
Hero Member
Posts: 25
Joined: 03 Oct 2023, 16:42

Re: Does UaExpert not verify AICs using IssuerCerts?

Post by tommys »

Hi,

regarding the first point (of the three you enumerated) the end-entity (AIC) cannot already be trusted, hence is not located in the "trusted/certs" store, because we are now connecting to this "unknown" OPCUA server for the very first time!

When we receive the server's AIC during connection establishment we'd like to check its validity and verify its authenticity by checking its signature using a CA PubKey that we already have in our "issuers/certs" store.

If the AIC is successfully verified, the client is free to add the AIC to the "trusted/certs" store.

Are you saying that this is not how UaExpert works?

Do we really have to pre-configure UaExpert with the server's AIC!? That would be very awkward because when the server's AIC changes (because of a local network change, a new IP address for example) it is error-prone to rely on a manual update of the UaExpert's "trusted/certs" store with this new AIC! Instead of just relying on the CA verification...

Regards,
/Tommy

PS. Regarding your third point, the CA's CRL is used to check that the AIC has not been revoked, which is nice of course. However, in this particular case, the CA involved does not have a corresponding CRL. Therefore, the third point should be of no relevance (in this particular case).

User avatar
Support Team
Hero Member
Hero Member
Posts: 3112
Joined: 18 Mar 2011, 15:09

Re: Does UaExpert not verify AICs using IssuerCerts?

Post by Support Team »

Hi,

in OPC UA it is "required" to have CRL whenever using CA-signed certificates. If nothing was revoked yet, you must at least have an "empty" CRL.

And no this is exactly how UaExpert works: if you have CA and CRL in the "issuers" (not trusted but available to verify chain), UaExpert will get the "end-entity" during connection establishment, and will "ask" the user (pop-up Window) to "trust" the end-entity, and when pressing the "Permanant Trust" button the AIC gets verified and finally stored in the "trusted" (UaExpert can verifiy because it has CA/CRL already in "issuers").

And of course you do NOT need to precofigure AIC, instead you trust on first use. When changed you will be asked to "trust" again. However if you want to "rely on CA verification" you can add the CA/CRL to the "trusted" (instead to the "issuers"). When trusting the CA you will trust every AIC that is issued by this CA (and not revoked in corresponding CRL)

If you want to "automatically" roll out CA signed Endentity and Trust and Revokation List, you must use UaGDS.
Best regards
Unified Automation Support Team

Post Reply