Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Renew Self Signed Certificate
June 23, 2022
17:21, EEST
Avatar
Patrick
Member
Members
Forum Posts: 5
Member Since:
October 15, 2020
sp_UserOfflineSmall Offline

Hi,

we’re using self signed certificates right now (generated by the OPC UA Serverimplemention via the ApplicationIdentity.LoadOrCreateCertificate function).
The generated certificate is valid for 1 year.

We call the function with EnableRenew set to true, which I assumed means (the documentation here is unfortunately not forthcoming with any additional information) that the certificate will be regenerated once the lifetime is up. But that does not happen.

Is there anything special that needs to be done to regenerate a certificate once it is past its Valid To date? The only way working right now is manually deleting the certificate to let the server generate a new one.

Alternatively is it possible to set the Valid To date to more than 1 year using this mechanism? Or would that require to actually generate a Certificate and bundle it with the Server Application directly? Not let the Server generate it’s own certificate.

Greetings
Patrick

June 27, 2022
8:44, EEST
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 222
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline

EDIT: Please ignore the this answer, it only concerns the Prosys OPC UA SDK for Java and not Prosys Sentrol OPC UA & Classic SDK for Delphi.

Hello,

Which version of the Prosys OPC UA SDK for Java are you using? The following description is based on the current version of the SDK which is version 4.8.0.

The loadOrCreateCertificate methods of the ApplicationIdentity class will internally call loadOrCreateKeyPair(String applicationName, String organisation, File certFile, File privFile, String privateKeyPassword, KeyPair caKeys, boolean enableRenew, String applicationUri, int keySize, String… hostNames) method of the same class. The method first attempts to read the certificate from certFile. If that succeeds, the validity of the certificate is checked. If the certificate is no longer valid, this will be logged at info level so you should look your application’s logs for a log entry of ApplicationIdentity class saying “Certificate expired.”. If the certificate is no longer valid and enableRenew is true, new application certificate and private key will be created. A log entry saying “Creating a new application certificate & private key” will be added to the log before attempting to recreate the certificate. If renewing the certificate fails, a SecureIdentityException will be thrown by the method.

Note that the validity of the certificate is checked ONLY when it is loaded by the method. If it expires while your application is running, it is not renewed automatically regardless of what the value of enableRenew parameter was when loading the certificate. You will need to restart your application to trigger loading the certificate and checking its validity.

If you have restarted your application and the certificate still hasn’t been renewed, have you verified that the certificate has expired by opening the DER file? If you have done that as well, is there anything in the logs of your application that would suggest that renewing the certificate is failing for some reason?

June 27, 2022
8:49, EEST
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 222
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline

Hello again,

Please ignore the previous answer, it only concerns the Prosys OPC UA SDK for Java and not Prosys Sentrol OPC UA & Classic SDK for Delphi.

June 27, 2022
11:26, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 960
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Actually, the functionality in the SDK for Delphi should be equal to the SDK for Java in this respect.

But, as Matti described, renewal may happen only when you are calling loadOrCreateCertificate, so typically only at the application restart phase.

I just tested, and it should do what it promises: if the certificate is not valid any more, it will just create a new one.

June 28, 2022
16:19, EEST
Avatar
Patrick
Member
Members
Forum Posts: 5
Member Since:
October 15, 2020
sp_UserOfflineSmall Offline

I’m currently on version 7.3.0 Build 758. Using Delphi 10.2 (if that’s relevant).

I tested it with the ProsysOPC.UaSampleServer project with

UaServer.ApplicationIdentity.LoadOrCreateCertificate({EnableRenew} true);

The normal Application is similarly build, at least in that regard.

Right now I have an old certificate active (generated January ’21), and when I start the server it does not update the certificate. If I delete (or rename) the certificate I get a new one which then is valid for a year again.

As the LoadOrCreateCertificate is only a procedure and no exception occurs I can’t really log anything regarding the generation/renewal of the certificate.

A manual load and validation of the certificate gives me a bad result (the comments are the results I get from the ShowMessage calls):

pCert := UaServer.CertificateStore.LoadCertificate(‘.\PKI\private\DelphiSampleServer@DESKTOP-2OL65E8.der’);
ShowMessage(pCert.ValidTo); //-> Jan 23 09:37:35 2022 GMT
pVal := UaServer.CertificateStore.ValidateCertificate(pCert);
ShowMessage(BoolToStr(pVal.IsGood)); // false

June 28, 2022
17:18, EEST
Avatar
Patrick
Member
Members
Forum Posts: 5
Member Since:
October 15, 2020
sp_UserOfflineSmall Offline

I just did the same test with version 7.4.0 of the SDK, with that one it is working.
I guess reading release notes helps sometimes 😉

New: Renew expired certificate, when TUaApplicationIdentity.LoadOrCreateCertificate is called with ‘EnableRenew = True’ – Really? 🙂

June 28, 2022
17:40, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 960
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Yes, sometimes they have valuable information – and fixes that you didn’t expect. 🙂

Anyways, we always recommend to check the latest version, if you experience any problems.

But great that it finally works for you.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 267

Currently Online:
16 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 124

pramanj: 86

ibrahim: 74

rocket science: 65

kapsl: 57

Sabari: 51

gjevremovic: 49

Xavier: 43

fred: 41

TimK: 41

Member Stats:

Guest Posters: 0

Members: 1759

Moderators: 15

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1323

Posts: 5649

Newest Members:

LenkaLok, seoninet, justinevillanuev, namtrott5457, DonaldWibip, AlfredoEthix, andreidla, everangel7021, Larryhed, agustincatts6

Moderators: Jouni Aro: 960, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 860, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 25, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 222, Lusetti: 0

Administrators: admin: 1