Page 1 of 1

BadCertificateChainIncomplete error

Posted: 07 Jan 2020, 13:42
by simon.s

I observed the [BadCertificateChainIncomplete] issue when I use UaExpert talks to UaDemoServer which uses the chain of certificates.

Following the recommendation of thread,
I have put the CA certificate of the UaDemoServer in the UaExpert's 'trusted/certs' and 'issuers/certs' folder.
I set 'General.DisableError.CertificateIssuerRevocationUnknown' and 'General.DisableError.CertificateRevocationUnknown' in UaExpert's settings to true.
The Trust Status of the leaf certificate is Trusted.

But I still have the following 3 errors.
"unable to get local issuer certificate [BadCertificateChainIncomplete]
unable to get certificate CRL [BadCertificateRevocationUnknown]
unable to verify the first certificate [BadCertificateChainIncomplete]"

In another thread, it states that
"If the certificate contains a chained issuer and a CA, the server will send the public portions of the complete chain to the client for verification.".

I observed that only the leaf certificate was sent to the client instead of the complete chain.
Would you please clarify how can I ensure the UaDemoServer sends the complete chain to UaExpert client?
Do I miss any parameter/setting of the server certificate?

Thank you.


Re: BadCertificateChainIncomplete error

Posted: 08 Jan 2020, 19:24
by Support Team

it seems that you ave a misconfigured chain already on the serverside.
In order to use certificate chains the "issuers" folder is used for intermediate CAs that you don't trust but which you need to complete the chain. For the verification (done by OpenSSL) the Client will pass all the certs stored in issuers togeter with the trusted to the OpenSSL verify. The verification will only be positive if you have the RevocationList for each of the CAs present (even if those are empty).

Re: BadCertificateChainIncomplete error

Posted: 11 Jan 2020, 00:05
by simon.s

Thank you for the hints. I have a few more questions.

Would you please clarify whether I need to have the RevocationList for each of the CAs on the server-side so that the server will send the UAExpert client the Revocation List via the UA SDK?

Would you please clarify whether the UAExpert will ignore the RevocationList check when I set 'General.DisableError.CertificateIssuerRevocationUnknown' and 'General.DisableError.CertificateRevocationUnknown' in UaExpert's settings to true?

Would you please clarify when an OPC UA server, which takes advantage of the UA C# SDK, uses Windows certificate store to manage the certificate, the Root CA and is available in the Trusted Root Certificate store, the intermediate CA is available in the Intermediate Certificate Store, and the SSL certificate is available in the Personal store, whether the OPC UA server will send the complete certificate chain to the UAExpert client as well?



Re: BadCertificateChainIncomplete error

Posted: 28 Apr 2020, 19:18
by Support Team

to use CA signed certificates and chains it is important to have revocation list for each CA, otherway you can never withdraw any compromized device. However such revocation list must be regularily updated, such feature is not part of the SDK, you application must manage and update it's trust store (including the revocation lists).

The infrastruture to do such, is provided by the GDS (global discovery server). The OPC Foundation has invented this component to be able to "manage" security and trust amongst UA applications (clients and servers). The GDS has functionality to answer to "signing requests" and to "update" the trust and revocation list of each managed application.