Deploying Certificates to a Server
Posted: 06 Apr 2023, 21:18
I'm building a server meant to simulate a device that our software will configure on first use, and I'm working with the 3.3.0 SDK. One of the tasks we must perform when we first connect to this server is to write trusted application certificates and issuer certificate(s) to it.
The ServerConfiguration_CertificateGroups_DefaultApplicationGroup_TrustList object has an AddCertificate method that works for either trusted certificates or issuer certificates, depending upon whether the IsTrustedCertificate parameter has been set. The main issue I have with this is that it's leftover behavior from the 1.04 spec; the 1.05.02 spec says that "issuer certificates cannot be added with this method," and setting IsTrustedCertificate to false should result in Bad_CertificateInvalid being returned. It seems likely that I shouldn't depend on AddCertificate going forward, at least for issuer certificates.
The 1.05.02 spec goes on in the AddCertificate description to say, "Instead, CA Certificates and their CRLs shall be managed with the Write Method on the containing TrustList Object."
Workable in theory, but the trouble I have there is that if I use the Open method to open that TrustList in write mode (bit 1 set), UaExpert reports "Failed with error 'BadNotSupported | The mode is not allowed.'" In fact, I only seem to be able to open that TrustList in Read mode (bit 0 set). The object has the Writable and UserWritable set to true, and the UserRolePermissions show up as "Browse, ReadRolePermissions, Read, Write, and Call," since I'm accessing with SecurityAdmin role privileges.
Is there some issue server-side with writing to this TrustList? Or is there yet some third method of deploying certificates to the server?
Thanks,
Dave
The ServerConfiguration_CertificateGroups_DefaultApplicationGroup_TrustList object has an AddCertificate method that works for either trusted certificates or issuer certificates, depending upon whether the IsTrustedCertificate parameter has been set. The main issue I have with this is that it's leftover behavior from the 1.04 spec; the 1.05.02 spec says that "issuer certificates cannot be added with this method," and setting IsTrustedCertificate to false should result in Bad_CertificateInvalid being returned. It seems likely that I shouldn't depend on AddCertificate going forward, at least for issuer certificates.
The 1.05.02 spec goes on in the AddCertificate description to say, "Instead, CA Certificates and their CRLs shall be managed with the Write Method on the containing TrustList Object."
Workable in theory, but the trouble I have there is that if I use the Open method to open that TrustList in write mode (bit 1 set), UaExpert reports "Failed with error 'BadNotSupported | The mode is not allowed.'" In fact, I only seem to be able to open that TrustList in Read mode (bit 0 set). The object has the Writable and UserWritable set to true, and the UserRolePermissions show up as "Browse, ReadRolePermissions, Read, Write, and Call," since I'm accessing with SecurityAdmin role privileges.
Is there some issue server-side with writing to this TrustList? Or is there yet some third method of deploying certificates to the server?
Thanks,
Dave