Use Windows Store for certificate management

Questions regarding the use of the .NET SDK 2.0 for Server or Client development or integration into customer products ...

Moderator: uasdknet

Post Reply
ArnaudDebaene
Jr. Member
Jr. Member
Posts: 1
Joined: 16 Dec 2020, 15:59

Use Windows Store for certificate management

Post by ArnaudDebaene »

Hello,

My sceanrio is developing an OPC UA server application.

According to documentation, the .NET Server SDK uses its own, directory based, repository for certificates management (with subdirectories "issuers", "own", "rejected", "trusted").

Is there a way to use the Windows certificate store (either User or Machine) instead of this directory mechanism?

More specifically, is it possible that the SDK uses the "Root Authorities Certificates" sub-store to validate incoming client certificates (apart from the obvious but manual and tedious solution to export all these CA certificates as .der files) ??
Reason is that administrators want to have a centralized mechanism to manage PKI infrastucture, and do not want to have separate mechanisms for each application that uses PKI.

Concerning the server own certificate, I found the ApplicationInstanceBase.ChangeCertificate that allows to set a certificate that is read from the Windows store. Is that the correct way to do it?

Thanks.

Unknown User
Full Member
Full Member
Posts: 5
Joined: 05 Jul 2021, 16:44

Re: Use Windows Store for certificate management

Post by Unknown User »

Hi,

I am also very interested in this topic.

Mainly I have 2 questions:

1) How do I manage to use a certificate from a windows certificate store (X509Certificate2 from System.Security.Cryptography.X509Certificates) as the local application instance certificate?
I know the SecurityUtils.LoadCertificate method should be used for accomplishing this task and while I am able to create an ICertificate object with it, the Certificate does not include the private key, even though the original certificate it was loaded from has it.
I tried to add the private key after creation by setting the InternalCertificate.PrivateKey property, but I always get "ERROR: Operation is not supported on this platform." when trying to do this.
How do I solve this problem?

2) Is there a way to directly use a windows certificate store as e.g. the server's TrustedCertificateStore? If so, how can I accomplish this?
If not, what is the next best way? I was thinking of using the UntrustedCertificateEventHandler and manually look for the provided certificate in the windows certificate store. Is there an easier way?

Would really appreciate a response.

Best regards,
Stefan

benjamin.hadorn
Jr. Member
Jr. Member
Posts: 2
Joined: 30 Nov 2016, 14:52

Re: Use Windows Store for certificate management

Post by benjamin.hadorn »

Hi,

is there any response to this post? I could not find any from UA.

Thanks,
Benjamin

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Use Windows Store for certificate management

Post by Support Team »

Hello,

The Windows Certificate Store is supported by the SDK. You can enable it in the configuration. You can find a template for this in the app.config of the DemoServer application.

Code: Select all

        <StoreType>Windows</StoreType>
        <StorePath>LocalMachine\UA Applications</StorePath>
Note 1: You need to use ApplicationInstance from UaBase.Windows in your application code.

Node 2: CRLs are currently not supported in our Windows Certificate Store implementation.
Best regards
Unified Automation Support Team

wibbleboy
Full Member
Full Member
Posts: 9
Joined: 02 Jun 2020, 10:25

Re: Use Windows Store for certificate management

Post by wibbleboy »

Apologies in advance if I'm hijacking this thread, but hopefully my question isn't too unrelated.

Based upon what I've seen so far with the Windows Certificate Store support in the UA SDK, it looks like it relies on all of the various certificates being within a single store, but I've not been able to find much documentation in this area,

We have an existing UA SDK based Client application which currently stores the certificates in PKI folders. The client and user certificates are here:

Code: Select all

C:\pki\own\
Trusted server certificates are here:

Code: Select all

C:\pki\trusted\
Untrusted server certificates are written here, so the can be moved to the trusted folder

Code: Select all

C:\pki\rejected\
We wish to use the Windows Store to hold the server, user, and client certificates for secure connectivity. Initial attempts failed, since it looks like only a single Windows Store can be used at any given time for a SessionSecurityInfo.

Is that correct, and this should be possible, but only if we place all of these certificates in a specified Windows store?

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Use Windows Store for certificate management

Post by Support Team »

Hello,

Your last questions have been regarding the C++ SDK. So the answer in this thread may not help you. However this is an interesting question.

In the OPC UA .NET SDK you can configure the Windows Certificate Store for the
* ApplicationInstance certificate
* Trusted Store
* Issuer Store

If you want to use the Windows Certificate Store for the User Certificates, you need to override ServerManager.InitializeUserCertificateValidator. This method must return a CertificateValidator that supports the WindowsCertificateStore.

Sample code:

Code: Select all

                    return new DefaultCertificateValidator(
                        Application.SecurityProvider,
                        new CertificateValidatorSettings()
                        {
                            TrustedStore = new WindowsCertificateStore(Application.SecurityProvider, settings.UserTrustedCertificateStore, true),
                            IssuersStore = new WindowsCertificateStore(Application.SecurityProvider, settings.UserIssuerCertificateStore, true),
                            RejectedStore = new DirectoryCertificateStore(Application.SecurityProvider, settings.UserRejectedCertificateStore, true),
                            CacheAfterValidation = false,
                            DefaultCheckSettings = certificateCheckSettings?.Default,
                            PerCertificateCheckSettings = certificateCheckSettings?.PerCertificateSettings
                        },
                        true);
Best regards
Unified Automation Support Team

wibbleboy
Full Member
Full Member
Posts: 9
Joined: 02 Jun 2020, 10:25

Re: Use Windows Store for certificate management

Post by wibbleboy »

Thanks for the response.

Yes, we're still primarily using the C++ SDK, but are trying to keep up to date on the other platforms for possible future development.

When you stated that CRLs are not currently supported, is this expected in the future?

Post Reply