Hello,
I'm trying to use certificates signed by a Certification Authority to avoid having to move the client certificate from rejected to trusted folder on the server side manually.
I'm testing with UaExpert and my Server Application that is based on the Unified Automation C++ SDK. I'm using OpenSSL.
Just for testing I also installed a CA trusted certificate on the server side to see what UaExpert has to say about the trust chain.
I feel I have set up everything (key, certificate, crl) correctly on both sides but still server and client require me to manually trust the other parties certificate in order to create the secure channel.
I attached screenshots of the UaExpert Certification Validation window as well as a log file from the server.
Hope somebody can give me an advise.
Best regards,
Manuel
Trying to use certificates signed by CA
Moderator: Support Team
-
- Sr. Member
- Posts: 10
- Joined: 23 Mar 2016, 13:17
-
- Sr. Member
- Posts: 18
- Joined: 25 Feb 2015, 15:58
Re: Trying to use certificates signed by CA
Hello,
I have no solution, but I want to confirm that I have the same problem (strangely at exactly the same time).
The steps that I have taken:
I have no solution, but I want to confirm that I have the same problem (strangely at exactly the same time).
The steps that I have taken:
- I have setup a CA with openssl with CA certificate and generated a crl.
- I have generated a server certificate and a client certificate that are signed by the CA.
- I have copied the server certificate, server private key, issuer certificate and certificate revocation list to the corresponding PKI folders in the server (own developed server in C++ with the SDK)
- I have copied the client certificate, client private key, issuer certificate and certificate revocation list to the corresponding PKI folders in the client (uaexpert)
- Error message BadCertificateUntrusted
- The CA certificate has a green checkmark and "Known Issuer" as trust status
- The server certificate has a green check mark and "Untrusted" as trust status
-
- Sr. Member
- Posts: 10
- Joined: 23 Mar 2016, 13:17
Re: Trying to use certificates signed by CA
Hi,
I now do have a solution. It is quite simple.
The CA certificate needs to be stored under the trusted\certs folder.
The CA certificate under issuers\certs can be removed.
The CA crl can be stored under issuers\crl or trusted\crl, both works.
This solution works on both sides, client (UaExpert) and server.
This is the tree I had before that did not work:
And this here works:
Maarten_BE, I hope this helps you.
Best regards,
Manuel
I now do have a solution. It is quite simple.
The CA certificate needs to be stored under the trusted\certs folder.
The CA certificate under issuers\certs can be removed.
The CA crl can be stored under issuers\crl or trusted\crl, both works.
This solution works on both sides, client (UaExpert) and server.
This is the tree I had before that did not work:
Code: Select all
pkiserver
|
+---issuers
| +---certs
| | E1408D5B4129D658323C99BB83E02E061C5EC649.der
| |
| \---crl
| E1408D5B4129D658323C99BB83E02E061C5EC649.pem
|
+---own
| +---certs
| | server.der
| |
| \---private
| server.pem
|
+---rejected
\---trusted
+---certs
\---crl
Code: Select all
pkiserver
|
+---issuers
| +---certs
| \---crl
| E1408D5B4129D658323C99BB83E02E061C5EC649.pem
|
+---own
| +---certs
| | server.der
| |
| \---private
| server.pem
|
+---rejected
\---trusted
+---certs
| E1408D5B4129D658323C99BB83E02E061C5EC649.der
|
\---crl
Best regards,
Manuel
-
- Sr. Member
- Posts: 18
- Joined: 25 Feb 2015, 15:58
Re: Trying to use certificates signed by CA
Yes, having the Root CA certificate in the trusted list also solved it for me.
Thanks!
Thanks!
-
- Jr. Member
- Posts: 3
- Joined: 26 Oct 2016, 08:39
Re: Trying to use certificates signed by CA
This workaround also works for me, but what kind of certificates are stored in the issuers folder? I always thought that this is the location for CA certificates
- Support Team
- Hero Member
- Posts: 3070
- Joined: 18 Mar 2011, 15:09
Re: Trying to use certificates signed by CA
Here you can find background information regarding certificate management in OPC UA:
http://documentation.unified-automation ... rtificates
http://documentation.unified-automation ... rtificates
Best regards
Unified Automation Support Team
Unified Automation Support Team