Page 1 of 1


Posted: 20 Jul 2016, 14:50
by ggokka
I have one certificate as a pfx file.
After starting OPC Server with this pfx, I had to convert this pfx into the der file and the pem file. Because the UaExpert tool allow only the der and the pem format.

Unfortunately, I've seen this message below on the UaExpert side.

Unable to get local issuer certificateChate [BadCertificateChainIncomplete]
Unable to get certificate CRL [BadCertificateRevocationUnknown]
Unable to verify the first certificate [BadCertificateChainIncomplete]

Re: BadCertificateChainIncomplete

Posted: 22 Jul 2016, 12:11
by Support Team

there seem to be some massive misunderstanding. Why do you convert the certificate file?

.NET Server SDK works only with certificates in .pfx format. In this format both, the public cert and the privat key are contained. The server splits the pfx in the two portions automatically. The server sends - of course - only the public part of the certificate to the client, therefore converting the certificate is not needed for a secure communcation.

If the certificate contains a chained issuer and a CA, the server will send the public portions of the complete chain to the client for verification. Again there is no need for convert/split on your own.

However, when using CA and chained issuer certificates, you must have the corresponding revocation lists for each CA/issuer in the chain, because otherways you would "trust" all certs that where "ever" signed by such CA, without the possibility to revoke compromised certificates. That would be a massive security gap.

Best Regards
Support Team