Unable to verify certificate chain (BadCertificateChainIncomplete)

[asfdsfsa]

I'm trying to validate a certificate provided by a PLC. But get the BadCertificateChainIncomplete error when connecting


The certificate chain is created using openssl PLC, intermediate, root.

I have tried following

https://forum.unified-automation.com/viewtopic.php?t=8120

but my root and intermediate certificate are not shown in "Issuers" in the Certificate Store when imported in the folder. But the CRL are shown.


If I import them in TLS Issuers they are shown.


The certificate works with FTPS and HTTPS, but I assume I'm missing something when configuring the root/intermediate.
Any ideas?

[Support Team]

Hi,

from your screenshot it seems that none of the (internediate) certificates could be read. This could have many reasons, however the most obvious is the encoding (file format). When being transferred over the wire during connection establishment, certificates are DER encoded. UaExpert is storing the received server certificates in DER format as well (this is always the case when UaExpert is storing the certs himself, however you are copying the certs by hand).

Note: In OPC UA only DER encoded certificates are being used. Please make sure that whatever you put into the file store is DER encoded (and named like that).

[asfdsfsa]

Thanks!
That was what I was missing. My certificates was PEM encoded, so changing them with openssl worked.

Code: Select all

openssl x509 -in CERT.pem -outform der -out CERT.der

[Support Team]

Hi,
perfect, glad that it works now, thanks for confirmation.