Login  •  Register


BadCertificateChainIncomplete error

Questions regarding the use of the UaExpert.

BadCertificateChainIncomplete error

Postby simon.s » 07 Jan 2020, 13:42

Hi,

I observed the [BadCertificateChainIncomplete] issue when I use UaExpert talks to UaDemoServer which uses the chain of certificates.

Following the recommendation of thread https://forum.unified-automation.com/post3961.html,
I have put the CA certificate of the UaDemoServer in the UaExpert's 'trusted/certs' and 'issuers/certs' folder.
I set 'General.DisableError.CertificateIssuerRevocationUnknown' and 'General.DisableError.CertificateRevocationUnknown' in UaExpert's settings to true.
The Trust Status of the leaf certificate is Trusted.

But I still have the following 3 errors.
"unable to get local issuer certificate [BadCertificateChainIncomplete]
unable to get certificate CRL [BadCertificateRevocationUnknown]
unable to verify the first certificate [BadCertificateChainIncomplete]"

In another thread https://forum.unified-automation.com/post3978.html, it states that
"If the certificate contains a chained issuer and a CA, the server will send the public portions of the complete chain to the client for verification.".

I observed that only the leaf certificate was sent to the client instead of the complete chain.
Would you please clarify how can I ensure the UaDemoServer sends the complete chain to UaExpert client?
Do I miss any parameter/setting of the server certificate?

Thank you.

Regards,
simon.s
Jr. Member
Jr. Member
 
Posts: 4
Joined: 14 Nov 2019, 05:03

Re: BadCertificateChainIncomplete error

Postby Support Team » 08 Jan 2020, 19:24

Hello,

it seems that you ave a misconfigured chain already on the serverside.
In order to use certificate chains the "issuers" folder is used for intermediate CAs that you don't trust but which you need to complete the chain. For the verification (done by OpenSSL) the Client will pass all the certs stored in issuers togeter with the trusted to the OpenSSL verify. The verification will only be positive if you have the RevocationList for each of the CAs present (even if those are empty).
Best regards
Unified Automation Support Team
User avatar
Support Team
Hero Member
Hero Member
 
Posts: 2439
Joined: 18 Mar 2011, 15:09

Re: BadCertificateChainIncomplete error

Postby simon.s » 11 Jan 2020, 00:05

Hi,

Thank you for the hints. I have a few more questions.

Would you please clarify whether I need to have the RevocationList for each of the CAs on the server-side so that the server will send the UAExpert client the Revocation List via the UA SDK?

Would you please clarify whether the UAExpert will ignore the RevocationList check when I set 'General.DisableError.CertificateIssuerRevocationUnknown' and 'General.DisableError.CertificateRevocationUnknown' in UaExpert's settings to true?

Would you please clarify when an OPC UA server, which takes advantage of the UA C# SDK, uses Windows certificate store to manage the certificate, the Root CA and is available in the Trusted Root Certificate store, the intermediate CA is available in the Intermediate Certificate Store, and the SSL certificate is available in the Personal store, whether the OPC UA server will send the complete certificate chain to the UAExpert client as well?

Thanks.

Regards,
simon.s
Jr. Member
Jr. Member
 
Posts: 4
Joined: 14 Nov 2019, 05:03


Return to UaExpert

Who is online

Users browsing this forum: No registered users and 0 guests