I'm trying to connect UAExpert to an OPC UA server with certificates.
To do this I generate a certificate with a CA, but how do I make UAExpert use that.
Even if I set a certificate in the server settings, then UAExpert is using .config/unifiedautomation/uaexpert/PKI/own/certs/uaexpert.der
Non self signed certificate
Moderator: uaexpert
- Support Team
- Hero Member
- Posts: 3068
- Joined: 18 Mar 2011, 15:09
Re: Non self signed certificate
Hi,
what you try to do is not possible. The UaExpert (like all other good OPC UA implementations) creates a self-signed sertificate. This certificate can be "signed by" a CA. For that the application must create a "signing request", and the CA must sign the certificate. What you get in return from the CA can than be used. However you can not (and should not) use the CA certificate directly (it does not match your private key).
On the server side you must trust the UaExperts self-signed cert OR alternatively you can trust the CA-signed OR you trust the CA (and everything that this CA has signed)
what you try to do is not possible. The UaExpert (like all other good OPC UA implementations) creates a self-signed sertificate. This certificate can be "signed by" a CA. For that the application must create a "signing request", and the CA must sign the certificate. What you get in return from the CA can than be used. However you can not (and should not) use the CA certificate directly (it does not match your private key).
On the server side you must trust the UaExperts self-signed cert OR alternatively you can trust the CA-signed OR you trust the CA (and everything that this CA has signed)
Best regards
Unified Automation Support Team
Unified Automation Support Team
-
- Jr. Member
- Posts: 1
- Joined: 28 Jul 2021, 20:48
Re: Non self signed certificate
How do you create a CSR from UAExpert?
- Support Team
- Hero Member
- Posts: 3068
- Joined: 18 Mar 2011, 15:09
Re: Non self signed certificate
Hi,
in UaExpert v1.5.x series you can't CSR for UaExpert. However, the UaExpert (GDS Push View) can ask UA Servers to CSR and can push new (self-signed or CA-signed) certificates down to the UA Server. In that case UaExpert act as a GDS-Client (with "Push" functionality), but UaExpert can not be the CA and can not act as a full blown GDS.
in UaExpert v1.6.x series there will be more GDS featured functionalities coming up, including the ability of UaExpert to register itself to an external GDS and the ability to CSR for itself with that GDS.
in UaExpert v1.5.x series you can't CSR for UaExpert. However, the UaExpert (GDS Push View) can ask UA Servers to CSR and can push new (self-signed or CA-signed) certificates down to the UA Server. In that case UaExpert act as a GDS-Client (with "Push" functionality), but UaExpert can not be the CA and can not act as a full blown GDS.
in UaExpert v1.6.x series there will be more GDS featured functionalities coming up, including the ability of UaExpert to register itself to an external GDS and the ability to CSR for itself with that GDS.
Best regards
Unified Automation Support Team
Unified Automation Support Team