Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Custom server certificates and certificate validation
May 3, 2023
7:47, EEST
Avatar
gaurav.kumar3
Member
Members
Forum Posts: 5
Member Since:
March 28, 2023
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

Hi,

I’ve been trying to set up some feature like – server certificate selection and utilizing our own trust store for OPCUA cert validation by the server. The onValidate(Cert cert) gives me a Cert file only. The Cert class has a method getCertificate that gets me an X509Certificate and not a certificate chain. It also does not give me a hostname of the client connecting to me. Getting a cert chain (cert and intermediate signing cert) and hostname (for hostname validation) is necessary for making it secure with our application. I had to fool my trust store by making an array (chain) out of that single x509 cert, but it warns me about missing values. Does the SDK validate the hostname internally? Is there a way I could get a cert chain? Smile

Gaurav

May 3, 2023
8:56, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 983
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Hi,

Multiple things to answer.

Cert chains:
Historically speaking, anything else than self-signed certs have been very rare. In some cases CA certs have been used, but it has been more like one per factory floor, and this CA cert (public key) has then just been copied on all installations. CA certs etc. are slowly becoming more used and the GDS (GlobalDiscoveryServer) will make this easier once we support that. Anyway, at the moment it is not possible to obtain the cert chain. The SDK like wont crash if it gets one, but it will discard the rest of the certs. Thus at the moment it is expected to copy the CA cert public key manually. But this is something we’ll need to improve, just that there has basically not been a need yet.

“It also does not give me a hostname of the client connecting to me”:
In OPC UA only the client side will check the hostname of the server’s cert. Though SDK doesn’t do that yet automatically (might do in some future major version): https://forum.prosysopc.com/forum/opc-ua-java-sdk/using-wildcards-in-subject-alternative-name-for-application-certificate/, but you can check that manually, see sampleconsoleclient MyCertificateValidationListener where CertificateUtils.getDnsOfCertificate(certificate) and CertificateUtils.getIpOfCertificate(certificate) are used. Note that the code itself doesn’t validate it per each connection, just when the cert is to be first accepted, but you could modify that.

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
28 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 135

pramanj: 86

Francesco Zambon: 81

rocket science: 77

ibrahim: 76

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

fred: 41

Member Stats:

Guest Posters: 0

Members: 680

Moderators: 16

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1467

Posts: 6260

Newest Members:

sagarchau, elviralangwell4, Donnavek, Eddiefauth, DonaldPooma, fidelduke938316, Jan-Pfizer, DavidROunc, fen.pang@woodside.com, aytule

Moderators: Jouni Aro: 1009, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 983, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 26, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 321, Lusetti: 0, Ari-Pekka Soikkeli: 5

Administrators: admin: 1