Cannot comm with Certificate and Private Key

Questions regarding the use of the UaExpert.

Moderator: uaexpert

Post Reply
garmenmikel
Jr. Member
Jr. Member
Posts: 4
Joined: 05 Nov 2018, 14:57

Cannot comm with Certificate and Private Key

Post by garmenmikel »

Hello,

I am using the UaExpert program to comm with a OPC-UA server. This server is configured with Codesys in a Raspberry Pi.

I want to configure a secure connection between the two elements. For that, I want to use Basic256Sha256 + Sign&Encrypt Security Settings, and Certificate and Private Key as Authentication Settings.

First of all, I configured Basic256Sha256 + Sign&Encrypt Security Settings, and Username and Password as Authentication Settings. This options functions properly after trusting the client certificate in the OPC-UA server.

Apart from that, I have changed the Authentication Settings to use Certificate and Private Key. But when I insert the certificate and the key and I try to connect, it appears Connecting failed with error 'BadConfigurationError' . How can I solve this problem?

In addition, when I try to connect it appears Error 'BadCertificateHostNameInvalid' was returned during CreateSession, press 'Ignore' to suppress the error and continue connecting. Then, I pulse Ignore and it let me connecting if I am using Username and Password. In the case, Certificate and Private Key, it appears this warning message too, but after that, it doesn't let me connecting.

What I am doing wrong?

Thanks for your help!

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Cannot comm with Certificate and Private Key

Post by Support Team »

Hello garmenmikel,

please ensure that the server actually supports authentication using certificate and private key, and that the certificate you are using is accepted/trusted for authentication by the server. Please do also ensure that the certificate is in DER-format (binary encoding) and that the private key is in PEM-format (text encoding).

The BadCertificateHostNameInvalid error is shown if the hostname/IP you are using to connect to the server is not contained in the server's certificate, e.g. if you are connecting to opc.tcp://192.168.0.1:4840 but the certificate only contains the hostname raspberrypi. In the certificate, this information is stored in the "Subject Alternative Name" extension.
Best regards
Unified Automation Support Team

garmenmikel
Jr. Member
Jr. Member
Posts: 4
Joined: 05 Nov 2018, 14:57

Re: Cannot comm with Certificate and Private Key

Post by garmenmikel »

Hello,

How can I ensure that the server actually supports authentication using certificate and private key? Is there any type of configuration file that exists in all the OPC-UA servers? I am actually using a OPC-UA server in Codesys, but soon I will configure a OPC-UA server using node-opcua or python-opcua.

Besides, I am sure that the certificate I am using is accepted/trusted for by the server, because I try to use in the Certificate and the Private Key gaps, the same certificates that I had created when I installed UaExpert (the same certificates that I have trusted in the server). But it appears, Connecting failed with error 'BadConfigurationError' only when I insert manually the certificates.

Thanks!!

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Cannot comm with Certificate and Private Key

Post by Support Team »

Hello garmenmikel,

it depends on the server which types of user authentication (anonymous, user/password, X509 token) are supported. Using UaExpert you can check that as follows:

- connect to the server
- Document --> Add... --> "Server Diagnostics View"
- in the "Endpoints" tab, select the endpoints and check if there's a UserTokenPolicy with TokenType Certificate

If there's such an endpoint, you'll need to check with the server vendor on how to trust X509 certificates for user authentication, as this might differ from the trust done for application instance certificates.
Best regards
Unified Automation Support Team

garmenmikel
Jr. Member
Jr. Member
Posts: 4
Joined: 05 Nov 2018, 14:57

Re: Cannot comm with Certificate and Private Key

Post by garmenmikel »

Hello,


I have this UserTokenPolicy[0]:

PolicyId UserPassword_Encrypted
TokenType UserName
IssuedTokenType
IssuerEndpointUrl
SecurityPolicyUri http://opcfoundation.org/UA/SecurityPol ... c256Sha256

Have to say this, that I can not communicate with the server using a Certificate and Private Key?

Thanks,

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Cannot comm with Certificate and Private Key

Post by Support Team »

Hello garmenmikel,

if the server only provides this endpoint, authentication is only possible using username and password, as indicated by the user token type. Please note that the connection itself is still encrypted with certificate and private key when using an Sign&Encrypt endpoint.
Best regards
Unified Automation Support Team

garmenmikel
Jr. Member
Jr. Member
Posts: 4
Joined: 05 Nov 2018, 14:57

Re: Cannot comm with Certificate and Private Key

Post by garmenmikel »

Hello,
I have some other doubt:
I configured some settings in my OPC-UA server to create a secure connection.
I have this parameters in the Server Diagnostics View in UaExpert:

****EndpointUrl: opc.tcp://192.168.1.32:4851/freeopcua/server/
****Server:
********ApplicationUri: urn:freeopcua:python:server
********ProductUri: urn:freeopcua.github.io:python:server
********ApplicationName: FreeOpcUa Example Server
********ApplicationType: ClientAndServer
********GatewayServerUri:
********DiscoveryProfileUri:
********DiscoveryUrls:
************[0]: opc.tcp://192.168.1.32:4851/freeopcua/server/
****ServerCertificate: 30820407308202E...
****SecurityMode: SignAndEncrypt
****SecurityPolicyUri: http://opcfoundation.org/UA/SecurityPol ... c256Sha256
****UserIdentityTokens:
********UserTokenPolicy[0]:
************PolicyId: certificate_basic256sha256
************TokenType: Certificate
************IssuedTokenType:
************IssuerEndpointUrl:
************SecurityPolicyUri:
****TransportProfileUri: http://opcfoundation.org/UA-Profile/Tra ... c-uabinary
****SecurityLevel: 0

But then, I try to connect Anonymously with Basic256Sha256 + Sign&Encrypt Security Settings, and it let me to connect properly.
Why it let me?

Thanks for your help,

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Cannot comm with Certificate and Private Key

Post by Support Team »

Hello garmenmikel,

please contact the server vendor to check why connecting is possible in this case. The server should only allow connecting using the token types it shows in its endpoint descriptions. If the server behaves differently, it doesn't comply with the OPC UA specification.
Best regards
Unified Automation Support Team

Post Reply