Page 1 of 1
Use Windows Store for certificate management
Posted: 04 Feb 2021, 14:39
by ArnaudDebaene
Hello,
My sceanrio is developing an OPC UA server application.
According to documentation, the .NET Server SDK uses its own, directory based, repository for certificates management (with subdirectories "issuers", "own", "rejected", "trusted").
Is there a way to use the Windows certificate store (either User or Machine) instead of this directory mechanism?
More specifically, is it possible that the SDK uses the "Root Authorities Certificates" sub-store to validate incoming client certificates (apart from the obvious but manual and tedious solution to export all these CA certificates as .der files) ??
Reason is that administrators want to have a centralized mechanism to manage PKI infrastucture, and do not want to have separate mechanisms for each application that uses PKI.
Concerning the server own certificate, I found the ApplicationInstanceBase.ChangeCertificate that allows to set a certificate that is read from the Windows store. Is that the correct way to do it?
Thanks.
Re: Use Windows Store for certificate management
Posted: 28 Jul 2021, 17:01
by Unknown User
Hi,
I am also very interested in this topic.
Mainly I have 2 questions:
1) How do I manage to use a certificate from a windows certificate store (X509Certificate2 from System.Security.Cryptography.X509Certificates) as the local application instance certificate?
I know the SecurityUtils.LoadCertificate method should be used for accomplishing this task and while I am able to create an ICertificate object with it, the Certificate does not include the private key, even though the original certificate it was loaded from has it.
I tried to add the private key after creation by setting the InternalCertificate.PrivateKey property, but I always get "ERROR: Operation is not supported on this platform." when trying to do this.
How do I solve this problem?
2) Is there a way to directly use a windows certificate store as e.g. the server's TrustedCertificateStore? If so, how can I accomplish this?
If not, what is the next best way? I was thinking of using the UntrustedCertificateEventHandler and manually look for the provided certificate in the windows certificate store. Is there an easier way?
Would really appreciate a response.
Best regards,
Stefan
Re: Use Windows Store for certificate management
Posted: 21 Apr 2023, 12:51
by benjamin.hadorn
Hi,
is there any response to this post? I could not find any from UA.
Thanks,
Benjamin
Re: Use Windows Store for certificate management
Posted: 21 Apr 2023, 15:28
by Support Team
Hello,
The Windows Certificate Store is supported by the SDK. You can enable it in the configuration. You can find a template for this in the app.config of the DemoServer application.
Code: Select all
<StoreType>Windows</StoreType>
<StorePath>LocalMachine\UA Applications</StorePath>
Note 1: You need to use ApplicationInstance from UaBase.Windows in your application code.
Node 2: CRLs are currently not supported in our Windows Certificate Store implementation.
Re: Use Windows Store for certificate management
Posted: 24 Apr 2023, 10:01
by wibbleboy
Apologies in advance if I'm hijacking this thread, but hopefully my question isn't too unrelated.
Based upon what I've seen so far with the Windows Certificate Store support in the UA SDK, it looks like it relies on all of the various certificates being within a single store, but I've not been able to find much documentation in this area,
We have an existing UA SDK based Client application which currently stores the certificates in PKI folders. The client and user certificates are here:
Trusted server certificates are here:
Untrusted server certificates are written here, so the can be moved to the trusted folder
We wish to use the Windows Store to hold the server, user, and client certificates for secure connectivity. Initial attempts failed, since it looks like only a single Windows Store can be used at any given time for a SessionSecurityInfo.
Is that correct, and this should be possible, but only if we place all of these certificates in a specified Windows store?
Re: Use Windows Store for certificate management
Posted: 26 Apr 2023, 17:55
by Support Team
Hello,
Your last questions have been regarding the C++ SDK. So the answer in this thread may not help you. However this is an interesting question.
In the OPC UA .NET SDK you can configure the Windows Certificate Store for the
* ApplicationInstance certificate
* Trusted Store
* Issuer Store
If you want to use the Windows Certificate Store for the User Certificates, you need to override ServerManager.InitializeUserCertificateValidator. This method must return a CertificateValidator that supports the WindowsCertificateStore.
Sample code:
Code: Select all
return new DefaultCertificateValidator(
Application.SecurityProvider,
new CertificateValidatorSettings()
{
TrustedStore = new WindowsCertificateStore(Application.SecurityProvider, settings.UserTrustedCertificateStore, true),
IssuersStore = new WindowsCertificateStore(Application.SecurityProvider, settings.UserIssuerCertificateStore, true),
RejectedStore = new DirectoryCertificateStore(Application.SecurityProvider, settings.UserRejectedCertificateStore, true),
CacheAfterValidation = false,
DefaultCheckSettings = certificateCheckSettings?.Default,
PerCertificateCheckSettings = certificateCheckSettings?.PerCertificateSettings
},
true);
Re: Use Windows Store for certificate management
Posted: 28 Apr 2023, 10:37
by wibbleboy
Thanks for the response.
Yes, we're still primarily using the C++ SDK, but are trying to keep up to date on the other platforms for possible future development.
When you stated that CRLs are not currently supported, is this expected in the future?