Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Custom server certificates and certificate validation
May 3, 2023
7:47, EEST
Avatar
gaurav.kumar3
Member
Members
Forum Posts: 5
Member Since:
March 28, 2023
sp_UserOfflineSmall Offline

Hi,

I’ve been trying to set up some feature like – server certificate selection and utilizing our own trust store for OPCUA cert validation by the server. The onValidate(Cert cert) gives me a Cert file only. The Cert class has a method getCertificate that gets me an X509Certificate and not a certificate chain. It also does not give me a hostname of the client connecting to me. Getting a cert chain (cert and intermediate signing cert) and hostname (for hostname validation) is necessary for making it secure with our application. I had to fool my trust store by making an array (chain) out of that single x509 cert, but it warns me about missing values. Does the SDK validate the hostname internally? Is there a way I could get a cert chain? Smile

Gaurav

May 3, 2023
8:56, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1032
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Hi,

Multiple things to answer.

Cert chains:
Historically speaking, anything else than self-signed certs have been very rare. In some cases CA certs have been used, but it has been more like one per factory floor, and this CA cert (public key) has then just been copied on all installations. CA certs etc. are slowly becoming more used and the GDS (GlobalDiscoveryServer) will make this easier once we support that. Anyway, at the moment it is not possible to obtain the cert chain. The SDK like wont crash if it gets one, but it will discard the rest of the certs. Thus at the moment it is expected to copy the CA cert public key manually. But this is something we’ll need to improve, just that there has basically not been a need yet.

“It also does not give me a hostname of the client connecting to me”:
In OPC UA only the client side will check the hostname of the server’s cert. Though SDK doesn’t do that yet automatically (might do in some future major version): https://forum.prosysopc.com/forum/opc-ua-java-sdk/using-wildcards-in-subject-alternative-name-for-application-certificate/, but you can check that manually, see sampleconsoleclient MyCertificateValidationListener where CertificateUtils.getDnsOfCertificate(certificate) and CertificateUtils.getIpOfCertificate(certificate) are used. Note that the code itself doesn’t validate it per each connection, just when the cert is to be first accepted, but you could modify that.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
16 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 726

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1529

Posts: 6471

Newest Members:

gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7, franciscagrimwad, adult_gallery

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0

Administrators: admin: 1