BadCertificateChainIncomplete and BadCertificateRevocationUnknown errors with Slef-Signed Certificate

[Ewen]

Hello everyone,

I am very new to OPC-UA and am using UAExpert as a test tool in order to validate the format of self-signed certificates I generate for a Panorama E² OPC-UA server.
I experience some problems during the connexion step and get this errors :

• unable to get local issuer certificate [BadCertificateChainIncomplete]

• unable to get certificate CRL [BadCertificateRevocationUnknown)

• unable to verify the first certificate [BadCertificateChainIncomplete]

I don't know if these errors are expected or not, since I use self-signed certificate, which means there is no CA nor revocation list.
What is also a bit confusing for me is that I get these errors when I work localy on my server (OPC-UA server and UAExpert on the same machine) but I can't reproduce this when I work on a VM or a computer (both client and server on the same machine too).

I am using the same Panorama E² software, same UAExpert version, same certificate.

Here is the Powershell script I use for certificate generation :
$Cert = New-SelfSignedCertificate `
-Type SSLServerAuthentication `
-Subject "CN=Panorama Composer OPC UA Server,DC=10.14.22.169" `
-HashAlgorithm sha256 `
-KeyAlgorithm RSA `
-KeyLength 4096 `
-KeyExportPolicy Exportable `
-Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
-KeySpec KeyExchange `
-NotAfter (Get-Date).AddYears(5) `
-CertStoreLocation "Cert:\LocalMachine\My" `
-KeyUsage DigitalSignature,NonRepudiation,KeyEncipherment,DataEncipherment `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.1","2.5.29.17={text}URL=urn:localhost:CODRA:Panorama Composer OPC UA Server&DNS=10.14.22.169")
Export-Certificate -Cert $Cert -FilePath C:\temp\certificate.der
$CertPasswordEmpty = new-object System.Security.SecureString
Export-PfxCertificate -Cert $Cert -FilePath C:\temp\certificate.pfx -Password $CertPasswordEmpty

I'd like to know if someone has already experienced such things using UAexpert and self-signed certificate, if there is a mistake in the script I use to generate certifiates, and why I get different results when I work on the server or on my computer/VM

Thanks in advance for your answers and you help

Regards,
Ewen

[Support Team]

Hi,

from the errors given in the UaExpert it seems that the certificate is seen as a "chain" of certificates instead of an individual self-signed (self-issued) certificate. Please check against the OPC Specification, thre are some additional fields that need to be set.

As long as you have a different issuer for the cert, UaExpert assumes a chain, hence looks for Revocation list and looks for the missing pieces to validate the complete chain.

The Microsoft built-in tools are not able to create a valid, UA conformant, x509 certificate. The Unified Automation SDKs include functionality to create self-signed automatically. Contact sales@ to get your Unified Automation OPC UA SDK.

[Ewen]

Hi,

Thanks a lot for your answer.
I understand that, in any case, certificates I will generate using the Microsoft built-in tool will never be fully UA conformant ?
What I don't understand is that I don't get any error when I use my own computer or a VM, but when I try it on the physical server it shows these errors. Do you know why I get different results ?

Also, could you give me the e-mail address of the sales in order to contact them ?

Regards,
Ewen

[Support Team]

Hi,

there might be a difference in the Windows version in your VM and your native installation. Not sure about the latest greates Win11, however the previous versions did not have the capabilities for generating OPC UA certificates. For that reason we typically use OpenSSL or the BouncyCastle and we have capsulated into comfortable API in order to automatically generate proper certificates with ease.

[Ewen]

Ok I understand.
How can I contact your sales department in order to get Unified Automation OPC UA SDK ?

[Support Team]

Hi,

please use <sales@unified-automation.com> to contact sales department.