Log In
Register
Forum
Topic RSS
23:45, EEST
July 7, 2022
Offline
Hello,
I am a bit new to PKI terminology, so please forgive me if I misuse a term.
I am trying to make use of one or more intermediate certificates in a UaClient. I see that it is possible to sign a client’s generated Application Identity certificate with an issuer KeyPair. Then if a server trusts the issuer, it trusts the client’s certificate as it was signed by the issuer. However, is it possible to create and send longer chains of trust?
For example. Say the certificate chain is C -> B -> A, where:
A is the client’s application certificate (issued by B)
B is an intermediate (issued by C)
C is a root CA trusted by the server (self-signed)
Is it a supported feature for the client to include this entire trust chain when establishing the initial secure channel to the server? If so, could you please point me in the right direction for accomplishing that? Thank you.
10:31, EEST
Moderators
February 11, 2020
Offline
Hello,
Using longer certificate chains consisting of an application instance certificate, a varying number of intermediate CA certificates and a root CA certificate is supported by the SDK. At the moment the SDK does not support sending the entire certificate chain or processing more than the “leaf certificate” (e.g. application instance certificate) of a received certificate chain.
You will need to transfer the CA certificates of the certificate chain to Server applications manually and trust them. How to do this depends on Server application. For Server applications developed with Prosys OPC UA SDK for Java, copying the DER files of the certificates to PKI\CA\certs folder (assuming the default folder structure is being used) will make the Server trust those certificates. Just make sure that the same certificates are not also in PKI\CA
ejected folder or the Server won’t trust those certificates.
1 Guest(s)
