BadCertificateChainIncomplete error

Questions regarding the use of the UaExpert.

Moderator: uaexpert

Post Reply
simon.s
Jr. Member
Jr. Member
Posts: 4
Joined: 14 Nov 2019, 05:03

BadCertificateChainIncomplete error

Post by simon.s »

Hi,

I observed the [BadCertificateChainIncomplete] issue when I use UaExpert talks to UaDemoServer which uses the chain of certificates.

Following the recommendation of thread https://forum.unified-automation.com/post3961.html,
I have put the CA certificate of the UaDemoServer in the UaExpert's 'trusted/certs' and 'issuers/certs' folder.
I set 'General.DisableError.CertificateIssuerRevocationUnknown' and 'General.DisableError.CertificateRevocationUnknown' in UaExpert's settings to true.
The Trust Status of the leaf certificate is Trusted.

But I still have the following 3 errors.
"unable to get local issuer certificate [BadCertificateChainIncomplete]
unable to get certificate CRL [BadCertificateRevocationUnknown]
unable to verify the first certificate [BadCertificateChainIncomplete]"

In another thread https://forum.unified-automation.com/post3978.html, it states that
"If the certificate contains a chained issuer and a CA, the server will send the public portions of the complete chain to the client for verification.".

I observed that only the leaf certificate was sent to the client instead of the complete chain.
Would you please clarify how can I ensure the UaDemoServer sends the complete chain to UaExpert client?
Do I miss any parameter/setting of the server certificate?

Thank you.

Regards,

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: BadCertificateChainIncomplete error

Post by Support Team »

Hello,

it seems that you ave a misconfigured chain already on the serverside.
In order to use certificate chains the "issuers" folder is used for intermediate CAs that you don't trust but which you need to complete the chain. For the verification (done by OpenSSL) the Client will pass all the certs stored in issuers togeter with the trusted to the OpenSSL verify. The verification will only be positive if you have the RevocationList for each of the CAs present (even if those are empty).
Best regards
Unified Automation Support Team

simon.s
Jr. Member
Jr. Member
Posts: 4
Joined: 14 Nov 2019, 05:03

Re: BadCertificateChainIncomplete error

Post by simon.s »

Hi,

Thank you for the hints. I have a few more questions.

Would you please clarify whether I need to have the RevocationList for each of the CAs on the server-side so that the server will send the UAExpert client the Revocation List via the UA SDK?

Would you please clarify whether the UAExpert will ignore the RevocationList check when I set 'General.DisableError.CertificateIssuerRevocationUnknown' and 'General.DisableError.CertificateRevocationUnknown' in UaExpert's settings to true?

Would you please clarify when an OPC UA server, which takes advantage of the UA C# SDK, uses Windows certificate store to manage the certificate, the Root CA and is available in the Trusted Root Certificate store, the intermediate CA is available in the Intermediate Certificate Store, and the SSL certificate is available in the Personal store, whether the OPC UA server will send the complete certificate chain to the UAExpert client as well?

Thanks.

Regards,

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: BadCertificateChainIncomplete error

Post by Support Team »

Hi,

to use CA signed certificates and chains it is important to have revocation list for each CA, otherway you can never withdraw any compromized device. However such revocation list must be regularily updated, such feature is not part of the SDK, you application must manage and update it's trust store (including the revocation lists).

The infrastruture to do such, is provided by the GDS (global discovery server). The OPC Foundation has invented this component to be able to "manage" security and trust amongst UA applications (clients and servers). The GDS has functionality to answer to "signing requests" and to "update" the trust and revocation list of each managed application.
Best regards
Unified Automation Support Team

svein@folkedata.no
Jr. Member
Jr. Member
Posts: 1
Joined: 07 Apr 2022, 08:40

Re: BadCertificateChainIncomplete error

Post by svein@folkedata.no »

I am using GDS with a CA certificate and a root CA Offline certificate.

I have added crl for the CA and the root CA but still get the following errors:
Error - unable to get local issuer certificate [BadCertificateChainIncomplete]
Error - unable to get certificate CRL [BadCertificateRevocationUnknown]
Error - unable to verify the first certificate [BadCertificateChainIncomplete]

And in the Certificate Chain Section I get the error:
Certificatename Untrusted

This works just fine using the framework for Advosol but not for Unified framework.

Any ideas?

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: BadCertificateChainIncomplete error

Post by Support Team »

Hi,

the error log already tells you the issues. The certificate chain consists of different parts (root, intermediate1, internediate2, leaf) and you must add these to your PKI store correctly. In OPC UA you have the ability to have untrusted intermediates, which you need just for chain completion, but not trust explicitely. For each CA/Internediate you will need the corresponding CRL and keep it up-to-date.
Best regards
Unified Automation Support Team

Post Reply