BadCertificateTimeInvalid

Questions regarding the use of the UaExpert.

Moderator: uaexpert

Post Reply
jgolinuc
Jr. Member
Jr. Member
Posts: 1
Joined: 24 Feb 2021, 07:29

BadCertificateTimeInvalid

Post by jgolinuc »

Hi,
I'm trying to establish a secure connection to a Siemens S7-1512 PLC.

I've imported the certficitates at these locations:
- CA certificate (.der) in C:\Users\Joel\AppData\Roaming\unifiedautomation\uaexpert\PKI\issuers\certs
- CA certificate revoke list (.crl)in C:\Users\Joel\AppData\Roaming\unifiedautomation\uaexpert\PKI\issuers\crl
- Device certificate (.der) in C:\Users\Joel\AppData\Roaming\unifiedautomation\uaexpert\PKI\trusted\certs

The device is configured to use the Device certificate and is correctly loaded.

I'm able to discover the device in the UAExpert "Add server" window, but as soon as I hit the connect button I get these error messages:
[uastack] OpcUa_TcpConnection_ProcessResponse: Error Message!
[uastack] OpcUa_TcpConnection_ProcessResponse: Status 0x80140000!
Error 'BadCertificateTimeInvalid' was returned during OpenSecureChannel

I've tried to create all certificates (CA then Device) with different validity period (starting from today, ending in 10 years for example), but the issue is always the same.

Thanks for your help !

User avatar
Support Team
Hero Member
Hero Member
Posts: 2670
Joined: 18 Mar 2011, 15:09

Re: BadCertificateTimeInvalid

Post by Support Team »

Hello,

on the client side the UaExpert "imports" all public certs needed on his side automatically when hitting the "Trust" button. On the server side you must use the mechanizms provided by the configuration tools of the server vendor (TIA Portal) to trust the UaExpert certificate.

If the error is "BadCertificateTimeInvalid" then the x509 certificate is not valid anymore or is not yet valid. Each certificate has a validity period "from" and "to", the client will check the validitiy of the server cert agains his clock and the server side will check the validity of the client cert against his clock.

1. Assumption: the clock is NOT correct on the server side.

Do you have synchronized the time on the Siemens S7-1512 PLC? if you freshly take out of the box, it might be 01.01.1970

2. Assumption: your time on the PC where you run the UaExpert, is probably correct and in sync with real world.

Solution: set correct time on both sides of the equation, create new certificates thereafter, try again.
Best regards
Unified Automation Support Team

Post Reply