Unified Automation Forum

Customer support forum for Unified Automation products and OPC UA technology in general
https://forum.unified-automation.com:443/

Secured UserIdentityToken: Certificate validation bad

https://forum.unified-automation.com:443/viewtopic.php?f=22&t=3492

Page 1 of 1

Secured UserIdentityToken: Certificate validation bad

Posted: 14 Sep 2018, 13:08
by jgr
Hi,

I'm developing an OPC UA server and are now experimenting with encrypted password in UserIdentityToken Username_1 (none message security). I try to generate my own certificate (CA and server cert) and get it working with the UaExpert client (v1.4.4). I have solved all errors and warnings that UaExpert detected (missing UA extensions, wrong keyUsage etc.) when validating the certificate it receives from the server. But it still says "Bad" and mark the server certificate as "Untrusted". But no other error strings or warnings are shown. Both the intermediary CA cert and the server cert also get a green marker in front of them. See attached image to see how the certificate validation view looks like.

Certificate validation window of UaExpert: https://imgur.com/a/j3Th5QD

What could cause this behavior?

Re: Secured UserIdentityToken: Certificate validation bad

Posted: 20 Sep 2018, 11:26
by Support Team
Hello jgr,

the UaExpert expects to have a valid CRL for all CA certificates in the certificate chain. You can override this behaviour by changing the UaExpert settings 'General.DisableError.CertificateIssuerRevocationUnknown' and 'General.DisableError.CertificateRevocationUnknown' to true.

Re: Secured UserIdentityToken: Certificate validation bad

Posted: 18 Oct 2018, 10:56
by jgr
Hi again,

Changing the CertificateIssuerRevocationUnknown and CertificateRevocationUnknown settings to true did not change the behavior. It still reported "Bad" as the picture in the previous post shows. Today I updated to 1.5.0 319 and now it says "BadInvalidArgument" instead. UaExpert still set green markers infront of both the CA cert and the device cert. If I select the checkbox "Accept the server certificate temporarily for this session" and press the continue button I get the message "Error 'BadInvalidArgument' was returned during OpenSecureChannel" in the log view. No connection attempt was made on the network. In previous version 1.4.x, this worked.

Re: Secured UserIdentityToken: Certificate validation bad

Posted: 25 Oct 2018, 13:48
by Support Team
Hello jgr,

UaExpert expects the CRL to be DER-encoded (binary), and the problem might be that your CRL is PEM-encoded (text). We are aware of this issue and will improve the errors shown in the GUI if this is the case.

Using OpenSSL you can simply change the encoding of a CRL as follows:

Code: Select all

openssl crl -in ca.crl -inform PEM -out ca.crl -outform DER
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited