Trying to use certificates signed by CA

Unified Architecture topics related to OPC UA Specification, compliant behavior and any technical issues of OPC UA, like Security, Information Model, Companion Specs DI, PLCopen, ADI, ...

Moderator: Support Team

Post Reply
manuel.bliemel
Sr. Member
Sr. Member
Posts: 10
Joined: 23 Mar 2016, 13:17

Trying to use certificates signed by CA

Post by manuel.bliemel »

Hello,

I'm trying to use certificates signed by a Certification Authority to avoid having to move the client certificate from rejected to trusted folder on the server side manually.

I'm testing with UaExpert and my Server Application that is based on the Unified Automation C++ SDK. I'm using OpenSSL.
Just for testing I also installed a CA trusted certificate on the server side to see what UaExpert has to say about the trust chain.

I feel I have set up everything (key, certificate, crl) correctly on both sides but still server and client require me to manually trust the other parties certificate in order to create the secure channel.

I attached screenshots of the UaExpert Certification Validation window as well as a log file from the server.

Hope somebody can give me an advise.

Best regards,
Manuel

Maarten_BE
Sr. Member
Sr. Member
Posts: 18
Joined: 25 Feb 2015, 15:58

Re: Trying to use certificates signed by CA

Post by Maarten_BE »

Hello,

I have no solution, but I want to confirm that I have the same problem (strangely at exactly the same time).

The steps that I have taken:
  • I have setup a CA with openssl with CA certificate and generated a crl.
  • I have generated a server certificate and a client certificate that are signed by the CA.
  • I have copied the server certificate, server private key, issuer certificate and certificate revocation list to the corresponding PKI folders in the server (own developed server in C++ with the SDK)
  • I have copied the client certificate, client private key, issuer certificate and certificate revocation list to the corresponding PKI folders in the client (uaexpert)
When connecting from UaExpert to my server using Basic128Rsa15 security profile I see (the same as in the screenshot of manuel.bliemel):
  • Error message BadCertificateUntrusted
  • The CA certificate has a green checkmark and "Known Issuer" as trust status
  • The server certificate has a green check mark and "Untrusted" as trust status
I would expect that uaexpert now trusts and is able to connect to the server without a manual trust confirmation of the user but for some reason this is not the case.

manuel.bliemel
Sr. Member
Sr. Member
Posts: 10
Joined: 23 Mar 2016, 13:17

Re: Trying to use certificates signed by CA

Post by manuel.bliemel »

Hi,

I now do have a solution. It is quite simple.

The CA certificate needs to be stored under the trusted\certs folder.
The CA certificate under issuers\certs can be removed.
The CA crl can be stored under issuers\crl or trusted\crl, both works.

This solution works on both sides, client (UaExpert) and server.

This is the tree I had before that did not work:

Code: Select all

pkiserver
|   
+---issuers
|   +---certs
|   |       E1408D5B4129D658323C99BB83E02E061C5EC649.der
|   |       
|   \---crl
|           E1408D5B4129D658323C99BB83E02E061C5EC649.pem
|           
+---own
|   +---certs
|   |       server.der
|   |       
|   \---private
|           server.pem
|           
+---rejected
\---trusted
    +---certs
    \---crl
And this here works:

Code: Select all

pkiserver
|   
+---issuers
|   +---certs
|   \---crl
|           E1408D5B4129D658323C99BB83E02E061C5EC649.pem
|           
+---own
|   +---certs
|   |       server.der
|   |       
|   \---private
|           server.pem
|           
+---rejected
\---trusted
    +---certs
    |       E1408D5B4129D658323C99BB83E02E061C5EC649.der
    |       
    \---crl
Maarten_BE, I hope this helps you.

Best regards,
Manuel

Maarten_BE
Sr. Member
Sr. Member
Posts: 18
Joined: 25 Feb 2015, 15:58

Re: Trying to use certificates signed by CA

Post by Maarten_BE »

Yes, having the Root CA certificate in the trusted list also solved it for me.

Thanks!

phibla
Jr. Member
Jr. Member
Posts: 3
Joined: 26 Oct 2016, 08:39

Re: Trying to use certificates signed by CA

Post by phibla »

This workaround also works for me, but what kind of certificates are stored in the issuers folder? I always thought that this is the location for CA certificates

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Trying to use certificates signed by CA

Post by Support Team »

Here you can find background information regarding certificate management in OPC UA:
http://documentation.unified-automation ... rtificates
Best regards
Unified Automation Support Team

Post Reply