19:50, EEST
October 4, 2023
I am currently evaluating OPC UA Historian for a customer.
I think I have gone through all the appropriate steps to establish communication with the OPC UA Server:
1. Imported all the client certificates into the server
2. Created an appropriate login/password for the client
3. Set host files on both to match computer names on the certificates.
4. Was able to connect using OPC UA Browser after trusting the server certificate and the signing root CA.
5. Copied these into OPC UA Historian and approved both.
When I go to connect, I am using SignAndEncrypt, Aes128_Sha256_RsaOsap (same as used on OPC UA Browser), I always receive the same error:
========================
Error:
Invalid server certificate
Status Code:
Bad_CertificateChainIncomplete (0x810D0000) “The certificate chain is incomplete.”
========================
I cannot figure out what is wrong with my certificate, especially since I have the signing rootCA also trusted.
Any help would be greatly appreciated!
10:21, EEST
Moderators
February 11, 2020
Hello,
When you copied the certificate chain to Historian, did you copy the entire chain including root CA certificate, possible intermediate CA certificates and the “leaf” application instance certificate to CLIENT_PKI\CA\certs folder? If you did not copy the entire chain or copied the certificates to an incorrect folder, Historian will not be able to validate them correctly when connecting to the Server.
16:27, EEST
October 4, 2023
Matti Siponen said
Hello,When you copied the certificate chain to Historian, did you copy the entire chain including root CA certificate, possible intermediate CA certificates and the “leaf” application instance certificate to CLIENT_PKI\CA\certs folder? If you did not copy the entire chain or copied the certificates to an incorrect folder, Historian will not be able to validate them correctly when connecting to the Server.
Yup, that did it. I wasn’t thinking and put the root certs in “SERVER_PKI\CA\Certs”. Once I moved them into “CLIENT_PKI\CA\Certs” and the .crl into “CLIENT_PKI\crl” it started working.
Thanks for the help!
Most Users Ever Online: 1919
Currently Online:
10 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
pramanj: 86
rocket science: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 732
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1508
Posts: 6396
Newest Members:
elainesever, powhephenry, mamiecaldwell5, Lamasom, scsneed, berrybulcock, icerdraizomma, athenasummy5, vtaletbhcx, HaroldaDobModerators: Jouni Aro: 1019, Pyry: 1, Petri: 0, Bjarne Boström: 1016, Jimmy Ni: 26, Matti Siponen: 340, Lusetti: 0
Administrators: admin: 1