Please consider registering

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —

— Match —

— Forum Options —

Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Certificate chains in the client's application identity.
August 11, 2022
23:45, EEST
New Member
Forum Posts: 1
Member Since:
July 7, 2022
sp_UserOfflineSmall Offline


I am a bit new to PKI terminology, so please forgive me if I misuse a term.

I am trying to make use of one or more intermediate certificates in a UaClient. I see that it is possible to sign a client’s generated Application Identity certificate with an issuer KeyPair. Then if a server trusts the issuer, it trusts the client’s certificate as it was signed by the issuer. However, is it possible to create and send longer chains of trust?

For example. Say the certificate chain is C -> B -> A, where:
A is the client’s application certificate (issued by B)
B is an intermediate (issued by C)
C is a root CA trusted by the server (self-signed)

Is it a supported feature for the client to include this entire trust chain when establishing the initial secure channel to the server? If so, could you please point me in the right direction for accomplishing that? Thank you.

August 12, 2022
10:31, EEST
Matti Siponen

Forum Posts: 288
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline


Using longer certificate chains consisting of an application instance certificate, a varying number of intermediate CA certificates and a root CA certificate is supported by the SDK. At the moment the SDK does not support sending the entire certificate chain or processing more than the “leaf certificate” (e.g. application instance certificate) of a received certificate chain.

You will need to transfer the CA certificates of the certificate chain to Server applications manually and trust them. How to do this depends on Server application. For Server applications developed with Prosys OPC UA SDK for Java, copying the DER files of the certificates to PKI\CA\certs folder (assuming the default folder structure is being used) will make the Server trust those certificates. Just make sure that the same certificates are not also in PKI\CA
ejected folder or the Server won’t trust those certificates.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
10 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 130

pramanj: 86

ibrahim: 75

rocket science: 72

Francesco Zambon: 62

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

fred: 41

Member Stats:

Guest Posters: 0

Members: 651

Moderators: 16

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1415

Posts: 6035

Newest Members:

u310498, ntd, francescac, yahya95, leomajoe, Gus, sdfsdfsdfsd, riatuccker

Moderators: Jouni Aro: 988, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 941, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 25, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 288, Lusetti: 0, Ari-Pekka Soikkeli: 5

Administrators: admin: 1