Connection reponds with BadCertificateTimeInvalid

Questions regarding the use of the UaExpert.

Moderator: uaexpert

Post Reply
Sr. Member
Sr. Member
Posts: 17
Joined: 07 Jul 2014, 16:11

Connection reponds with BadCertificateTimeInvalid

Post by Bergsteiger »

Using UAExpert 1.51

Even so that I try to connect with no password and no security (None - None (uatcp-uasc-uabinary)) I receive the error message from the Certificate Valdation "BadCertificateTimeInvalid". Nevertheless by pressing "trust" everything works as expected.

The reported certificate in fact invalidated in February this year. As we are running the system inside a protected environment the encryption is not required. Therefore I wanted to delete this certificate, but I can't find it using the mmc.exe tool on a Windows 7 PC. It looks as if this certificate was created by accident as the entries like:
Common Name: UaServer@MachineName
Organization: Organization
OrganizationUnit: Unit

are rather meaningless. I even don't know who created that certificate, as the issuers entries are identical.

What can I do to get rid of the error message? It might be that the connected clients see the same issue, but I am not sure.
Best regards

User avatar
Support Team
Hero Member
Hero Member
Posts: 2670
Joined: 18 Mar 2011, 15:09

Re: Connection reponds with BadCertificateTimeInvalid

Post by Support Team »


the UaExpert will look at the certificate whenever it receives one during connection establishment (even on the insecure "none" Endpoint). However, after displaying it's content to inform the user, you can decide to "ignore" it, and connect anyways. Other Clients should have similar function, regarding UA Specification the certificate should be ignored on a "none" Endpoint. However, some servers have ability for additional user-authentication (user/pwd), and the certificate may be used for encryption of the pwd. Without certificate you would transfer the PWD as clear text, which is not a good idear. That said it would be better to use an expired certificate, than usin no certificate at all. Keep in mind: OPC UA as multiple layers of security, not only for application authentication but also for user authorisation.

Best option you have is to create a new certificate (set new expiry date). The server should have a mechanizm (e.g. configuration tool) for doing so. The location where the server is storing it's certificate is up to the server, it may be in Windows-Certificate store, but it may be in file store, or it may even be in stored hardware (secure element, TPM).

Deleting (essential) files like certificate or the like, may end up in server not being able to start up, which BTW from an security perspective is the best option the server has, if you mess up it's configuration.
Best regards
Unified Automation Support Team

Post Reply