Request Assistance with "BadSecurityChecksFailed" Error

[Matchless6846]

The issue has been resolved. The root cause was identified as a misconfiguration in our deployment setup, which has now been addressed. Thank you for your cooperation and patience!

--------------------------------------------------

Dear Support Team,

We're encountering a persistent connection issue between UaExpert client and our OPC UA Server (SDK v4.1.0).
When establishing a secure channel using UaExpert v1.7.1, we receive the error:
Error 'BadSecurityChecksFailed' was returned during OpenSecureChannel

Server-side PKI directories show no client certificates in RejectedCertificates;
Server logs show no relevant security-related entries;
Basic256Sha256 policy with SignAndEncrypt mode is used consistently;
Recreated client certificate in UaExpert.

Our specific question is, are there known scenarios where security failures wouldn't generate server logs and client certificates wouldn't appear in PKI stores?

Thank you for your time and expertise!

[Support Team]

Hi,

the rather unspecific "BadSecurityChecksFailed" unfortunately is hard to analyse. Your best approach is tracing on detailed level (client and server side), which you already did. Over the network the OPC UA will not give detailed error descriptions, just the local trace/log can give moe hints.

As you already assumed the "untrusted" certificate is the most obvious reason. You should look up on both sides (client and server). When using UaExpert client it will pop up a GUI with "new" unknown certificate, and ask for "trusting" it. On the server side any "new" unknown certificate will be added to quarantained "rejected" folder, and wait for approval (move to trusted folder).

The server process should have "write" permission to the file system where the certificate file store is located.

Note: Make sure to not mix up application and user certificate, different things will end up in different certificate stores.