BadCertificateChainIncomplete

Questions regarding the use of the .NET SDK 2.0 for Server or Client development or integration into customer products ...

Moderator: uasdknet

Post Reply
ggokka
Sr. Member
Sr. Member
Posts: 17
Joined: 03 Jul 2015, 02:34

BadCertificateChainIncomplete

Post by ggokka »

I have one certificate as a pfx file.
After starting OPC Server with this pfx, I had to convert this pfx into the der file and the pem file. Because the UaExpert tool allow only the der and the pem format.

Unfortunately, I've seen this message below on the UaExpert side.

Unable to get local issuer certificateChate [BadCertificateChainIncomplete]
Unable to get certificate CRL [BadCertificateRevocationUnknown]
Unable to verify the first certificate [BadCertificateChainIncomplete]

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: BadCertificateChainIncomplete

Post by Support Team »

Hello,

there seem to be some massive misunderstanding. Why do you convert the certificate file?

.NET Server SDK works only with certificates in .pfx format. In this format both, the public cert and the privat key are contained. The server splits the pfx in the two portions automatically. The server sends - of course - only the public part of the certificate to the client, therefore converting the certificate is not needed for a secure communcation.

If the certificate contains a chained issuer and a CA, the server will send the public portions of the complete chain to the client for verification. Again there is no need for convert/split on your own.

However, when using CA and chained issuer certificates, you must have the corresponding revocation lists for each CA/issuer in the chain, because otherways you would "trust" all certs that where "ever" signed by such CA, without the possibility to revoke compromised certificates. That would be a massive security gap.

Best Regards
Support Team

Post Reply