Hi,
i am using UA Expert on a "collector node" to connect to a Honeywell OPC UA Server (via Honeywell Server Selector) on another server. I am facing similar problem like in other chats here. If i try to connect, i get:
Error - unable to get local issuer certificate [BadCertificateChainIncomplete]
Error - unable to get certificate CRL [BadCertificateRevocationUnknown]
Error - unable to verify the first certificate [BadCertificateChainIncomplete]
The cerificate i am using is successfully trusted in the certmgr tool and the revocation list is also registered successfully in the certlm tool.
If i check the certificate on the "collector node" i can see the correct certification path and "This certificate is ok".
Any ideas where the problem is caused?
Many thanks
Alex
BadCertificateChainIncomplete
Moderator: uaexpert
-
Support Team
- Hero Member
- Posts: 3072
- Joined: 18 Mar 2011, 15:09
Re: BadCertificateChainIncomplete
Hello Alex,
where exactly do you see those errors? Are you using the windows certificate store?Error - unable to get local issuer certificate [BadCertificateChainIncomplete]
Error - unable to get certificate CRL [BadCertificateRevocationUnknown]
Error - unable to verify the first certificate [BadCertificateChainIncomplete]
Best regards
Unified Automation Support Team
Unified Automation Support Team
-
AlexS
- Jr. Member
- Posts: 4
- Joined: 25 Sep 2023, 15:25
Re: BadCertificateChainIncomplete
Hi,
the error message is shown in UAExpert, when i want to connect to the UA Server (Certificate Validation).
In Windows certification store the certs are looking good and are trusted (inkl. CA).
Thanks
Alex
the error message is shown in UAExpert, when i want to connect to the UA Server (Certificate Validation).
In Windows certification store the certs are looking good and are trusted (inkl. CA).
Thanks
Alex
-
Support Team
- Hero Member
- Posts: 3072
- Joined: 18 Mar 2011, 15:09
Re: BadCertificateChainIncomplete
Hello Alex,
the UaExpert does not use/support the Windows Certificate Store. It is working with the OpenSSL file store instead.
To add the issuer certificates and CRLs you can open the store in the GUI "Open Certificate Location" see:
https://documentation.unified-automation.com/uaexpert/1.7.0/html/gui.html#certificate_manager
Put the CA certificates in "PKI\issuers\certs" and the CRLs into "PKI\issuers\crl".
the UaExpert does not use/support the Windows Certificate Store. It is working with the OpenSSL file store instead.
To add the issuer certificates and CRLs you can open the store in the GUI "Open Certificate Location" see:
https://documentation.unified-automation.com/uaexpert/1.7.0/html/gui.html#certificate_manager
Put the CA certificates in "PKI\issuers\certs" and the CRLs into "PKI\issuers\crl".
Best regards
Unified Automation Support Team
Unified Automation Support Team
-
AlexS
- Jr. Member
- Posts: 4
- Joined: 25 Sep 2023, 15:25
Re: BadCertificateChainIncomplete
Good morning,
thank you very much for this note!
I will try according the linked documentation and give feedback here.
Alex
thank you very much for this note!
I will try according the linked documentation and give feedback here.
Alex
-
AlexS
- Jr. Member
- Posts: 4
- Joined: 25 Sep 2023, 15:25
Re: BadCertificateChainIncomplete
Sear Support team,
this was exact the correct information i needed.
After registering the certs/CRL with the UAExpert specific certification tool it works fine without any error message.
Thanks!!!
Alex
this was exact the correct information i needed.
After registering the certs/CRL with the UAExpert specific certification tool it works fine without any error message.
Thanks!!!
Alex