Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Renew Self Signed Certificate
June 23, 2022
17:21, EEST
Avatar
Patrick
Member
Members
Forum Posts: 6
Member Since:
October 15, 2020
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

Hi,

we’re using self signed certificates right now (generated by the OPC UA Serverimplemention via the ApplicationIdentity.LoadOrCreateCertificate function).
The generated certificate is valid for 1 year.

We call the function with EnableRenew set to true, which I assumed means (the documentation here is unfortunately not forthcoming with any additional information) that the certificate will be regenerated once the lifetime is up. But that does not happen.

Is there anything special that needs to be done to regenerate a certificate once it is past its Valid To date? The only way working right now is manually deleting the certificate to let the server generate a new one.

Alternatively is it possible to set the Valid To date to more than 1 year using this mechanism? Or would that require to actually generate a Certificate and bundle it with the Server Application directly? Not let the Server generate it’s own certificate.

Greetings
Patrick

June 27, 2022
8:44, EEST
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 321
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline
Go to Top
2sp_EditHistory sp_Permalink sp_Print

EDIT: Please ignore the this answer, it only concerns the Prosys OPC UA SDK for Java and not Prosys Sentrol OPC UA & Classic SDK for Delphi.

Hello,

Which version of the Prosys OPC UA SDK for Java are you using? The following description is based on the current version of the SDK which is version 4.8.0.

The loadOrCreateCertificate methods of the ApplicationIdentity class will internally call loadOrCreateKeyPair(String applicationName, String organisation, File certFile, File privFile, String privateKeyPassword, KeyPair caKeys, boolean enableRenew, String applicationUri, int keySize, String… hostNames) method of the same class. The method first attempts to read the certificate from certFile. If that succeeds, the validity of the certificate is checked. If the certificate is no longer valid, this will be logged at info level so you should look your application’s logs for a log entry of ApplicationIdentity class saying “Certificate expired.”. If the certificate is no longer valid and enableRenew is true, new application certificate and private key will be created. A log entry saying “Creating a new application certificate & private key” will be added to the log before attempting to recreate the certificate. If renewing the certificate fails, a SecureIdentityException will be thrown by the method.

Note that the validity of the certificate is checked ONLY when it is loaded by the method. If it expires while your application is running, it is not renewed automatically regardless of what the value of enableRenew parameter was when loading the certificate. You will need to restart your application to trigger loading the certificate and checking its validity.

If you have restarted your application and the certificate still hasn’t been renewed, have you verified that the certificate has expired by opening the DER file? If you have done that as well, is there anything in the logs of your application that would suggest that renewing the certificate is failing for some reason?

June 27, 2022
8:49, EEST
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 321
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline
Go to Top
3sp_Permalink sp_Print

Hello again,

Please ignore the previous answer, it only concerns the Prosys OPC UA SDK for Java and not Prosys Sentrol OPC UA & Classic SDK for Delphi.

June 27, 2022
11:26, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1010
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
4sp_Permalink sp_Print

Actually, the functionality in the SDK for Delphi should be equal to the SDK for Java in this respect.

But, as Matti described, renewal may happen only when you are calling loadOrCreateCertificate, so typically only at the application restart phase.

I just tested, and it should do what it promises: if the certificate is not valid any more, it will just create a new one.

June 28, 2022
16:19, EEST
Avatar
Patrick
Member
Members
Forum Posts: 6
Member Since:
October 15, 2020
sp_UserOfflineSmall Offline
Go to Top
5sp_Permalink sp_Print

I’m currently on version 7.3.0 Build 758. Using Delphi 10.2 (if that’s relevant).

I tested it with the ProsysOPC.UaSampleServer project with

UaServer.ApplicationIdentity.LoadOrCreateCertificate({EnableRenew} true);

The normal Application is similarly build, at least in that regard.

Right now I have an old certificate active (generated January ’21), and when I start the server it does not update the certificate. If I delete (or rename) the certificate I get a new one which then is valid for a year again.

As the LoadOrCreateCertificate is only a procedure and no exception occurs I can’t really log anything regarding the generation/renewal of the certificate.

A manual load and validation of the certificate gives me a bad result (the comments are the results I get from the ShowMessage calls):

pCert := UaServer.CertificateStore.LoadCertificate(‘.\PKI\private\DelphiSampleServer@DESKTOP-2OL65E8.der’);
ShowMessage(pCert.ValidTo); //-> Jan 23 09:37:35 2022 GMT
pVal := UaServer.CertificateStore.ValidateCertificate(pCert);
ShowMessage(BoolToStr(pVal.IsGood)); // false

June 28, 2022
17:18, EEST
Avatar
Patrick
Member
Members
Forum Posts: 6
Member Since:
October 15, 2020
sp_UserOfflineSmall Offline
Go to Top
6sp_EditHistory sp_Permalink sp_Print

I just did the same test with version 7.4.0 of the SDK, with that one it is working.
I guess reading release notes helps sometimes 😉

New: Renew expired certificate, when TUaApplicationIdentity.LoadOrCreateCertificate is called with ‘EnableRenew = True’ – Really? 🙂

June 28, 2022
17:40, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1010
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
7sp_Permalink sp_Print

Yes, sometimes they have valuable information – and fixes that you didn’t expect. 🙂

Anyways, we always recommend to check the latest version, if you experience any problems.

But great that it finally works for you.

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
13 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 135

pramanj: 86

Francesco Zambon: 81

rocket science: 77

Ibrahim: 76

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

TimK: 41

Member Stats:

Guest Posters: 0

Members: 683

Moderators: 16

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1467

Posts: 6261

Newest Members:

Reallywo, digitechroshni, LouieWreve, Kickbiche, karrimacvitie5, graciela2073, sagarchau, elviralangwell4, Donnavek, Eddiefauth

Moderators: Jouni Aro: 1010, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 983, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 26, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 321, Lusetti: 0, Ari-Pekka Soikkeli: 5

Administrators: admin: 1