Deploying Certificates to a Server

Questions regarding the use of the .NET SDK 2.0 for Server or Client development or integration into customer products ...

Moderator: uasdknet

Post Reply
node.dave
Sr. Member
Sr. Member
Posts: 10
Joined: 24 Feb 2023, 21:27

Deploying Certificates to a Server

Post by node.dave »

I'm building a server meant to simulate a device that our software will configure on first use, and I'm working with the 3.3.0 SDK. One of the tasks we must perform when we first connect to this server is to write trusted application certificates and issuer certificate(s) to it.

The ServerConfiguration_CertificateGroups_DefaultApplicationGroup_TrustList object has an AddCertificate method that works for either trusted certificates or issuer certificates, depending upon whether the IsTrustedCertificate parameter has been set. The main issue I have with this is that it's leftover behavior from the 1.04 spec; the 1.05.02 spec says that "issuer certificates cannot be added with this method," and setting IsTrustedCertificate to false should result in Bad_CertificateInvalid being returned. It seems likely that I shouldn't depend on AddCertificate going forward, at least for issuer certificates.

The 1.05.02 spec goes on in the AddCertificate description to say, "Instead, CA Certificates and their CRLs shall be managed with the Write Method on the containing TrustList Object."

Workable in theory, but the trouble I have there is that if I use the Open method to open that TrustList in write mode (bit 1 set), UaExpert reports "Failed with error 'BadNotSupported | The mode is not allowed.'" In fact, I only seem to be able to open that TrustList in Read mode (bit 0 set). The object has the Writable and UserWritable set to true, and the UserRolePermissions show up as "Browse, ReadRolePermissions, Read, Write, and Call," since I'm accessing with SecurityAdmin role privileges.

Is there some issue server-side with writing to this TrustList? Or is there yet some third method of deploying certificates to the server?

Thanks,
Dave

node.dave
Sr. Member
Sr. Member
Posts: 10
Joined: 24 Feb 2023, 21:27

Re: Deploying Certificates to a Server

Post by node.dave »

For the benefit of others who might encounter this, here is the resolution provided by Unified Automation support:
Please open the TrustList with EraseExisting.
OPC UA specification Part 12, 7.8.2.1:
"The Open Method shall not support modes other than Read (0x01) and the Write + EraseExisting (0x06)."
This opens the TrustList just fine.

Dave

Post Reply