Hi.
I'm trying to get UaExpert to talk with our OPC server. The server generates a self-signed DER certificate. I point UaExport to that DER cert, and the PEM file. When I try to connect to the OPC server, I get this message from UaExpert:
Could not load private key for X509 user token from file 'C:/Users.../AppData/Roaming/unifiedautomation/uaexpert/PKI/trusted/certs/cert1.pem'
I'm creating the private key PEM file with openssl (in Windows) like this:
openssl x509 -inform der -in cert1.der -out cert1.pem
I stripped out the paths above for clarity.
I am new to cert-based authentication, so I may be missing something obvious. What am I missing?
Thanks
Don
private key for X509 user token
Moderator: uaexpert
-
Support Team
- Hero Member
- Posts: 3329
- Joined: 18 Mar 2011, 15:09
Re: private key for X509 user token
Hi,
In OPC UA the Client and the Server both have their own certificates (which typically is a pair of two key files, the private and the public). The OPC UA connection establisment will "exchange" the public key crosswise automatically to the peer. The private key will never be touched. In any case you don't need to "point" to anything.
When receiving the peers public key during connection discovery automatically, there are two option: "quarantaine" or "trust".
A good Client (like UaExpert) will popup a window presenting the received server public certificate content to the user, and ask for "trust". So you don't need to touch, point, or copy anything.
The server-side must do exactly the same, however sometimes has no GUI to present the certificate content and no ability to ask the user for trust (e.g. headless device like PLC). For that reason typically will "quarantaine", which is storing the received client public cert in "rejected" folder. Thereafter hope for somebody check content and "trust" (e.g. the engineering tool or configuration tool of the server). Some poor server implementations do not even have a configuration tool, therefore the unlucky user must copy the (already locally stored file) from the "rejected" to the "trusted" folder in certificate store.
If you are trying to create certificates with OpenSSL on the command line you must make sure you fully understand all possible options. The certificate files must be DER encoded, and must have certain content (as specificed in the OPC UA specification). A good OPC UA application (client or server) will have the ability to create their own certificate key pair themselves (most, including all products of Unified Automation, do automatically on very first start up). There is no reason to even touch the OpenSSL on the command line.
no, you don't need to point the UaExpert anywhere and you should never touch, copy or move any private key file !!!I point UaExport to that DER cert, and the PEM file.
In OPC UA the Client and the Server both have their own certificates (which typically is a pair of two key files, the private and the public). The OPC UA connection establisment will "exchange" the public key crosswise automatically to the peer. The private key will never be touched. In any case you don't need to "point" to anything.
When receiving the peers public key during connection discovery automatically, there are two option: "quarantaine" or "trust".
A good Client (like UaExpert) will popup a window presenting the received server public certificate content to the user, and ask for "trust". So you don't need to touch, point, or copy anything.
The server-side must do exactly the same, however sometimes has no GUI to present the certificate content and no ability to ask the user for trust (e.g. headless device like PLC). For that reason typically will "quarantaine", which is storing the received client public cert in "rejected" folder. Thereafter hope for somebody check content and "trust" (e.g. the engineering tool or configuration tool of the server). Some poor server implementations do not even have a configuration tool, therefore the unlucky user must copy the (already locally stored file) from the "rejected" to the "trusted" folder in certificate store.
If you are trying to create certificates with OpenSSL on the command line you must make sure you fully understand all possible options. The certificate files must be DER encoded, and must have certain content (as specificed in the OPC UA specification). A good OPC UA application (client or server) will have the ability to create their own certificate key pair themselves (most, including all products of Unified Automation, do automatically on very first start up). There is no reason to even touch the OpenSSL on the command line.
Best regards
Unified Automation Support Team
Unified Automation Support Team
-
donsay00
- Jr. Member
- Posts: 2
- Joined: 13 Nov 2025, 22:57
Re: private key for X509 user token
Thanks for the reply. Maybe I didn't explain well.
My understanding is the client (uaexpert) needs the cert from the server, which our app creates and self-signs. So I have copied that from our server pc to the client uaexpert pc. When using cert authentication in uaexpert, it asks for the DER cert (I assume the one I copied from our server) and the private key file. I assume that is the private key from the server cert. When I say 'point', I simply mean I specify the location of the files.
I have also copied the cert generated by uaexpert to our server pc.
I don't know how to obtain the private key (PEM) file other that using openssl. And it is certainly possible that I am doing that incorrectly.
Do I have this correct?
Thanks.
My understanding is the client (uaexpert) needs the cert from the server, which our app creates and self-signs. So I have copied that from our server pc to the client uaexpert pc. When using cert authentication in uaexpert, it asks for the DER cert (I assume the one I copied from our server) and the private key file. I assume that is the private key from the server cert. When I say 'point', I simply mean I specify the location of the files.
I have also copied the cert generated by uaexpert to our server pc.
I don't know how to obtain the private key (PEM) file other that using openssl. And it is certainly possible that I am doing that incorrectly.
Do I have this correct?
Thanks.
-
Support Team
- Hero Member
- Posts: 3329
- Joined: 18 Mar 2011, 15:09
Re: private key for X509 user token
Hi,
NO, NO, never copy the private key file to anywhere, it is PRIVATE !!!
Carefully read the instructions in this post and the before post.
NO, there is no need to copy certificate to anywhere. Within "OPC UA" discovery and connection establishment, the certificte (the public key) of the communication peer will be transferred AUTOMATICALLY crosswise to the communication partner. It will be transferred in the correct encoding format (DER). AND it will be automatically "quarantained", or shown in a popup (in case GUI is available), and will "wait" to be trusted.So I have copied that from our server pc to the client uaexpert pc.
it asks for the DER cert (I assume the one I copied from our server) and the private key file. I assume that is the private key from the server cert
NO, NO, never copy the private key file to anywhere, it is PRIVATE !!!
NO, NO, NO, it is NOT required to copy the UaExpert certificate to anywhere. During connection establishment it will be transferred "via OPC UA" AUTOMATICALLY as discribed earlier. The server will receive it and will quarantaine it (in his local rejected folder). NO need to copy, it is already there !I have also copied the cert generated by uaexpert to our server pc.
NO, you have mixed it up completely. In the first connect attempt the certificates (public keys) will be transferred AUTOMATICALLY, and will be stored locally in rejected (quarantaine) folder. Thereafter you can "trust" (press "trust" button in UaExpert, and move from rejeced to trusted folder on server side). And on the second connect attempt it will finally connect (already trusted).Do I have this correct?
Carefully read the instructions in this post and the before post.
Best regards
Unified Automation Support Team
Unified Automation Support Team