Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
OPC UA Historian - "The certificate chain is incomplete."
October 4, 2023
19:50, EEST
Avatar
fcsm
New Member
Members
Forum Posts: 2
Member Since:
October 4, 2023
sp_UserOfflineSmall Offline

I am currently evaluating OPC UA Historian for a customer.
I think I have gone through all the appropriate steps to establish communication with the OPC UA Server:
1. Imported all the client certificates into the server
2. Created an appropriate login/password for the client
3. Set host files on both to match computer names on the certificates.
4. Was able to connect using OPC UA Browser after trusting the server certificate and the signing root CA.
5. Copied these into OPC UA Historian and approved both.

When I go to connect, I am using SignAndEncrypt, Aes128_Sha256_RsaOsap (same as used on OPC UA Browser), I always receive the same error:

========================
Error:
Invalid server certificate

Status Code:
Bad_CertificateChainIncomplete (0x810D0000) “The certificate chain is incomplete.”
========================

I cannot figure out what is wrong with my certificate, especially since I have the signing rootCA also trusted.

Any help would be greatly appreciated!

October 5, 2023
10:21, EEST
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 340
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline

Hello,

When you copied the certificate chain to Historian, did you copy the entire chain including root CA certificate, possible intermediate CA certificates and the “leaf” application instance certificate to CLIENT_PKI\CA\certs folder? If you did not copy the entire chain or copied the certificates to an incorrect folder, Historian will not be able to validate them correctly when connecting to the Server.

October 5, 2023
16:27, EEST
Avatar
fcsm
New Member
Members
Forum Posts: 2
Member Since:
October 4, 2023
sp_UserOfflineSmall Offline

Matti Siponen said
Hello,

When you copied the certificate chain to Historian, did you copy the entire chain including root CA certificate, possible intermediate CA certificates and the “leaf” application instance certificate to CLIENT_PKI\CA\certs folder? If you did not copy the entire chain or copied the certificates to an incorrect folder, Historian will not be able to validate them correctly when connecting to the Server.  

Yup, that did it. I wasn’t thinking and put the root certs in “SERVER_PKI\CA\Certs”. Once I moved them into “CLIENT_PKI\CA\Certs” and the .crl into “CLIENT_PKI\crl” it started working.

Thanks for the help!

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
10 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

pramanj: 86

rocket science: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 732

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1508

Posts: 6396

Newest Members:

elainesever, powhephenry, mamiecaldwell5, Lamasom, scsneed, berrybulcock, icerdraizomma, athenasummy5, vtaletbhcx, HaroldaDob

Moderators: Jouni Aro: 1019, Pyry: 1, Petri: 0, Bjarne Boström: 1016, Jimmy Ni: 26, Matti Siponen: 340, Lusetti: 0

Administrators: admin: 1