Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
OPC UA Historian - "The certificate chain is incomplete."
October 4, 2023
19:50, EEST
Avatar
fcsm
New Member
Members
Forum Posts: 2
Member Since:
October 4, 2023
sp_UserOfflineSmall Offline
Go to Top
1sp_EditHistory sp_Permalink sp_Print

I am currently evaluating OPC UA Historian for a customer.
I think I have gone through all the appropriate steps to establish communication with the OPC UA Server:
1. Imported all the client certificates into the server
2. Created an appropriate login/password for the client
3. Set host files on both to match computer names on the certificates.
4. Was able to connect using OPC UA Browser after trusting the server certificate and the signing root CA.
5. Copied these into OPC UA Historian and approved both.

When I go to connect, I am using SignAndEncrypt, Aes128_Sha256_RsaOsap (same as used on OPC UA Browser), I always receive the same error:

========================
Error:
Invalid server certificate

Status Code:
Bad_CertificateChainIncomplete (0x810D0000) “The certificate chain is incomplete.”
========================

I cannot figure out what is wrong with my certificate, especially since I have the signing rootCA also trusted.

Any help would be greatly appreciated!

October 5, 2023
10:21, EEST
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 346
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Hello,

When you copied the certificate chain to Historian, did you copy the entire chain including root CA certificate, possible intermediate CA certificates and the “leaf” application instance certificate to CLIENT_PKI\CA\certs folder? If you did not copy the entire chain or copied the certificates to an incorrect folder, Historian will not be able to validate them correctly when connecting to the Server.

October 5, 2023
16:27, EEST
Avatar
fcsm
New Member
Members
Forum Posts: 2
Member Since:
October 4, 2023
sp_UserOfflineSmall Offline
Go to Top
3sp_Permalink sp_Print

Matti Siponen said
Hello,

When you copied the certificate chain to Historian, did you copy the entire chain including root CA certificate, possible intermediate CA certificates and the “leaf” application instance certificate to CLIENT_PKI\CA\certs folder? If you did not copy the entire chain or copied the certificates to an incorrect folder, Historian will not be able to validate them correctly when connecting to the Server.  

Yup, that did it. I wasn’t thinking and put the root certs in “SERVER_PKI\CA\Certs”. Once I moved them into “CLIENT_PKI\CA\Certs” and the .crl into “CLIENT_PKI\crl” it started working.

Thanks for the help!

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
42 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 734

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1523

Posts: 6449

Newest Members:

christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism, biancacraft16, edgardo3518

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1