"Trust server certificate" button doesn't work properly

Questions regarding the use of the UaExpert.

Moderator: uaexpert

Post Reply
astae
Jr. Member
Jr. Member
Posts: 3
Joined: 03 Oct 2018, 03:26

"Trust server certificate" button doesn't work properly

Post by astae »

Hello,

I use UaExpert 1.4.4.275 on Windows 10 x64. I try to connect to OPC UA Server with security mode = "none" and when server returns me certificate, then I get an error "BadCertificateUntrusted". There is no any red field in Certificate details table of Certificate Validation window. When I press button "Trust server certificate", then nothing happens (continue button still disabled), however I see that this certificate was added in UaExpert certificates trust folder and marked as "Trusted" in Manage Certificates window. Any idea how to solve the problem?

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: "Trust server certificate" button doesn't work properly

Post by Support Team »

Hello astae,

what does the 'Trust Status' column of the 'Certificate Validation' window show when you're connecting to the server? If it only shows 'Bad' this might be a known display issue: if the server is using a CA-signed certificate, it expects to find the CA certificate and a matching certificate revocation list (CRL). If no matching CRL is found, the status might simply show as 'Bad'. Please enable the UaExpert settings 'General.DisableError.CertificateIssuerRevocationUnknown' and 'General.DisableError.CertificateRevocationUnknown' and then try connecting again.
Best regards
Unified Automation Support Team

astae
Jr. Member
Jr. Member
Posts: 3
Joined: 03 Oct 2018, 03:26

Re: "Trust server certificate" button doesn't work properly

Post by astae »

Support Team wrote:Hello astae,

what does the 'Trust Status' column of the 'Certificate Validation' window show when you're connecting to the server? If it only shows 'Bad' this might be a known display issue: if the server is using a CA-signed certificate, it expects to find the CA certificate and a matching certificate revocation list (CRL). If no matching CRL is found, the status might simply show as 'Bad'. Please enable the UaExpert settings 'General.DisableError.CertificateIssuerRevocationUnknown' and 'General.DisableError.CertificateRevocationUnknown' and then try connecting again.
When I am connecting to server the column shows "Untrusted". However the column with the same certificate in Manage Certificates window has Status column value - "Trusted". Additionally, in Certificate Validation Window "Errors" row I can see value "Errror invalid CA certificate [BadCertificateInvalid]".

astae
Jr. Member
Jr. Member
Posts: 3
Joined: 03 Oct 2018, 03:26

Re: "Trust server certificate" button doesn't work properly

Post by astae »

It might be important that before new OS installation (Windows 10/x64), I haven't problem on Windows 7 (x64). But I am not sure that it is OS problem.

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: "Trust server certificate" button doesn't work properly

Post by Support Team »

Hello astae,

this behaviour is independent on the used OS, so your new Windows installation doesn't affect the behaviour.

Please enable the UaExpert settings 'General.DisableError.CertificateIssuerRevocationUnknown' and 'General.DisableError.CertificateRevocationUnknown' and then try connecting again to check if the problen is the missing CRL.

The error "Error invalid CA certificate [BadCertificateInvalid]" is a hint that UaExpert either cannot find the CA certificate that signed the server certificate, or that the CA certificate is not valid at all. Please check the "Issuers" tab in the "Manage Certificates" window if there are CA certificates and if they are valid.

If this doesn't help, please open a support request at https://webdav.unifiedautomation.com/su ... _form.html and include:
- screenshots of the connect error dialog, the Trusted and Issuers tab of the Manage Certificates dialog
- the content of the 'trusted' and 'issuers' folders of UaExpert's PKI store (click Open Certificate Location in the Manage Certificates dialog)
Best regards
Unified Automation Support Team

Post Reply