Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Certificate chains in the client's application identity.
August 11, 2022
23:45, EEST
Avatar
Chris
New Member
Members
Forum Posts: 1
Member Since:
July 7, 2022
sp_UserOfflineSmall Offline
Go to Top
1sp_EditHistory sp_Permalink sp_Print

Hello,

I am a bit new to PKI terminology, so please forgive me if I misuse a term.

I am trying to make use of one or more intermediate certificates in a UaClient. I see that it is possible to sign a client’s generated Application Identity certificate with an issuer KeyPair. Then if a server trusts the issuer, it trusts the client’s certificate as it was signed by the issuer. However, is it possible to create and send longer chains of trust?

For example. Say the certificate chain is C -> B -> A, where:
A is the client’s application certificate (issued by B)
B is an intermediate (issued by C)
C is a root CA trusted by the server (self-signed)

Is it a supported feature for the client to include this entire trust chain when establishing the initial secure channel to the server? If so, could you please point me in the right direction for accomplishing that? Thank you.

August 12, 2022
10:31, EEST
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 346
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Hello,

Using longer certificate chains consisting of an application instance certificate, a varying number of intermediate CA certificates and a root CA certificate is supported by the SDK. At the moment the SDK does not support sending the entire certificate chain or processing more than the “leaf certificate” (e.g. application instance certificate) of a received certificate chain.

You will need to transfer the CA certificates of the certificate chain to Server applications manually and trust them. How to do this depends on Server application. For Server applications developed with Prosys OPC UA SDK for Java, copying the DER files of the certificates to PKI\CA\certs folder (assuming the default folder structure is being used) will make the Server trust those certificates. Just make sure that the same certificates are not also in PKI\CA
ejected folder or the Server won’t trust those certificates.

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
28 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 738

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1524

Posts: 6451

Newest Members:

jonathonmcintyre, fannielima, kristiewinkle8, rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1