17:21, EEST
October 15, 2020
Hi,
we’re using self signed certificates right now (generated by the OPC UA Serverimplemention via the ApplicationIdentity.LoadOrCreateCertificate function).
The generated certificate is valid for 1 year.
We call the function with EnableRenew set to true, which I assumed means (the documentation here is unfortunately not forthcoming with any additional information) that the certificate will be regenerated once the lifetime is up. But that does not happen.
Is there anything special that needs to be done to regenerate a certificate once it is past its Valid To date? The only way working right now is manually deleting the certificate to let the server generate a new one.
Alternatively is it possible to set the Valid To date to more than 1 year using this mechanism? Or would that require to actually generate a Certificate and bundle it with the Server Application directly? Not let the Server generate it’s own certificate.
Greetings
Patrick
8:44, EEST
Moderators
February 11, 2020
EDIT: Please ignore the this answer, it only concerns the Prosys OPC UA SDK for Java and not Prosys Sentrol OPC UA & Classic SDK for Delphi.
Hello,
Which version of the Prosys OPC UA SDK for Java are you using? The following description is based on the current version of the SDK which is version 4.8.0.
The loadOrCreateCertificate methods of the ApplicationIdentity class will internally call loadOrCreateKeyPair(String applicationName, String organisation, File certFile, File privFile, String privateKeyPassword, KeyPair caKeys, boolean enableRenew, String applicationUri, int keySize, String… hostNames) method of the same class. The method first attempts to read the certificate from certFile. If that succeeds, the validity of the certificate is checked. If the certificate is no longer valid, this will be logged at info level so you should look your application’s logs for a log entry of ApplicationIdentity class saying “Certificate expired.”. If the certificate is no longer valid and enableRenew is true, new application certificate and private key will be created. A log entry saying “Creating a new application certificate & private key” will be added to the log before attempting to recreate the certificate. If renewing the certificate fails, a SecureIdentityException will be thrown by the method.
Note that the validity of the certificate is checked ONLY when it is loaded by the method. If it expires while your application is running, it is not renewed automatically regardless of what the value of enableRenew parameter was when loading the certificate. You will need to restart your application to trigger loading the certificate and checking its validity.
If you have restarted your application and the certificate still hasn’t been renewed, have you verified that the certificate has expired by opening the DER file? If you have done that as well, is there anything in the logs of your application that would suggest that renewing the certificate is failing for some reason?
8:49, EEST
Moderators
February 11, 2020
11:26, EEST
December 21, 2011
Actually, the functionality in the SDK for Delphi should be equal to the SDK for Java in this respect.
But, as Matti described, renewal may happen only when you are calling loadOrCreateCertificate, so typically only at the application restart phase.
I just tested, and it should do what it promises: if the certificate is not valid any more, it will just create a new one.
16:19, EEST
October 15, 2020
I’m currently on version 7.3.0 Build 758. Using Delphi 10.2 (if that’s relevant).
I tested it with the ProsysOPC.UaSampleServer project with
UaServer.ApplicationIdentity.LoadOrCreateCertificate({EnableRenew} true);
The normal Application is similarly build, at least in that regard.
Right now I have an old certificate active (generated January ’21), and when I start the server it does not update the certificate. If I delete (or rename) the certificate I get a new one which then is valid for a year again.
As the LoadOrCreateCertificate is only a procedure and no exception occurs I can’t really log anything regarding the generation/renewal of the certificate.
A manual load and validation of the certificate gives me a bad result (the comments are the results I get from the ShowMessage calls):
pCert := UaServer.CertificateStore.LoadCertificate(‘.\PKI\private\DelphiSampleServer@DESKTOP-2OL65E8.der’);
ShowMessage(pCert.ValidTo); //-> Jan 23 09:37:35 2022 GMT
pVal := UaServer.CertificateStore.ValidateCertificate(pCert);
ShowMessage(BoolToStr(pVal.IsGood)); // false
17:18, EEST
October 15, 2020
Most Users Ever Online: 1919
Currently Online:
40 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 726
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1529
Posts: 6471
Newest Members:
gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7, franciscagrimwad, adult_galleryModerators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0
Administrators: admin: 1