Secured UserIdentityToken: Certificate validation bad

Questions regarding the use of the UaExpert.

Moderator: uaexpert

Post Reply
jgr
Jr. Member
Jr. Member
Posts: 2
Joined: 13 Sep 2018, 07:36

Secured UserIdentityToken: Certificate validation bad

Post by jgr »

Hi,

I'm developing an OPC UA server and are now experimenting with encrypted password in UserIdentityToken Username_1 (none message security). I try to generate my own certificate (CA and server cert) and get it working with the UaExpert client (v1.4.4). I have solved all errors and warnings that UaExpert detected (missing UA extensions, wrong keyUsage etc.) when validating the certificate it receives from the server. But it still says "Bad" and mark the server certificate as "Untrusted". But no other error strings or warnings are shown. Both the intermediary CA cert and the server cert also get a green marker in front of them. See attached image to see how the certificate validation view looks like.

Certificate validation window of UaExpert: https://imgur.com/a/j3Th5QD

What could cause this behavior?

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Secured UserIdentityToken: Certificate validation bad

Post by Support Team »

Hello jgr,

the UaExpert expects to have a valid CRL for all CA certificates in the certificate chain. You can override this behaviour by changing the UaExpert settings 'General.DisableError.CertificateIssuerRevocationUnknown' and 'General.DisableError.CertificateRevocationUnknown' to true.
Best regards
Unified Automation Support Team

jgr
Jr. Member
Jr. Member
Posts: 2
Joined: 13 Sep 2018, 07:36

Re: Secured UserIdentityToken: Certificate validation bad

Post by jgr »

Hi again,

Changing the CertificateIssuerRevocationUnknown and CertificateRevocationUnknown settings to true did not change the behavior. It still reported "Bad" as the picture in the previous post shows. Today I updated to 1.5.0 319 and now it says "BadInvalidArgument" instead. UaExpert still set green markers infront of both the CA cert and the device cert. If I select the checkbox "Accept the server certificate temporarily for this session" and press the continue button I get the message "Error 'BadInvalidArgument' was returned during OpenSecureChannel" in the log view. No connection attempt was made on the network. In previous version 1.4.x, this worked.

User avatar
Support Team
Hero Member
Hero Member
Posts: 3064
Joined: 18 Mar 2011, 15:09

Re: Secured UserIdentityToken: Certificate validation bad

Post by Support Team »

Hello jgr,

UaExpert expects the CRL to be DER-encoded (binary), and the problem might be that your CRL is PEM-encoded (text). We are aware of this issue and will improve the errors shown in the GUI if this is the case.

Using OpenSSL you can simply change the encoding of a CRL as follows:

Code: Select all

openssl crl -in ca.crl -inform PEM -out ca.crl -outform DER
Best regards
Unified Automation Support Team

Post Reply