Unified Automation Forum

Hello,

I'm quite new on OPC UA communication.

I'm using UAExpert to connect to the OPC server. When launch connection I obtain a popup to trust the certificate sent by the PLC Simotion D425. I can trust it but I get 3 errors at each time I try to connect.

Unable to get local issuer certificate [BadCertificateChainIncomplete]
Unable to get certificate CRL [BadCertificateRevocationUnkwown]
Unable to verify the first certificate [BadCertificateChainIncomplete]

When contacting Siemens they tell me that this is because the server cannot manage client certificates and that I need to create my own and load it into the PLC.

Does this seems right?

From what I understand I would say there is a problem with the certificate in the PLC.

Hello,

Here you can find a more detailed documentation of the different security configuration aspects and the terms I use in my explanation:
https://documentation.unified-automation.com/uasdkcpp/1.7.3/html/L2UaDiscoveryConnect.html

The error codes indicate that the server is using a CA-signed certificate and have nothing to do with the capabilities of the server to manage trust of client certificates. CA is Certificate Authority.

If CA-signed certificates are used, you can only get rid of these errors if the client also gets a CA-signed certificate including the CA certificate chain and a certificate revocation list (CRL) for the CA certificate. This is typically done with an OPC UA Global Discovery Server (GDS).

If you are not managing a CA / GDS for your clients and servers, you can use self-signed certificates. This is the default for UaExpert. But I do not know how a self-signed certificate can be configured for the server you are using.