7:47, EEST
March 28, 2023
Hi,
I’ve been trying to set up some feature like – server certificate selection and utilizing our own trust store for OPCUA cert validation by the server. The onValidate(Cert cert) gives me a Cert file only. The Cert class has a method getCertificate that gets me an X509Certificate and not a certificate chain. It also does not give me a hostname of the client connecting to me. Getting a cert chain (cert and intermediate signing cert) and hostname (for hostname validation) is necessary for making it secure with our application. I had to fool my trust store by making an array (chain) out of that single x509 cert, but it warns me about missing values. Does the SDK validate the hostname internally? Is there a way I could get a cert chain?
Gaurav
8:56, EEST
April 3, 2012
Hi,
Multiple things to answer.
Cert chains:
Historically speaking, anything else than self-signed certs have been very rare. In some cases CA certs have been used, but it has been more like one per factory floor, and this CA cert (public key) has then just been copied on all installations. CA certs etc. are slowly becoming more used and the GDS (GlobalDiscoveryServer) will make this easier once we support that. Anyway, at the moment it is not possible to obtain the cert chain. The SDK like wont crash if it gets one, but it will discard the rest of the certs. Thus at the moment it is expected to copy the CA cert public key manually. But this is something we’ll need to improve, just that there has basically not been a need yet.
“It also does not give me a hostname of the client connecting to me”:
In OPC UA only the client side will check the hostname of the server’s cert. Though SDK doesn’t do that yet automatically (might do in some future major version): https://forum.prosysopc.com/forum/opc-ua-java-sdk/using-wildcards-in-subject-alternative-name-for-application-certificate/, but you can check that manually, see sampleconsoleclient MyCertificateValidationListener where CertificateUtils.getDnsOfCertificate(certificate) and CertificateUtils.getIpOfCertificate(certificate) are used. Note that the code itself doesn’t validate it per each connection, just when the cert is to be first accepted, but you could modify that.
Most Users Ever Online: 1919
Currently Online:
16 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 726
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1529
Posts: 6471
Newest Members:
gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7, franciscagrimwad, adult_galleryModerators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0
Administrators: admin: 1