Please consider registering

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —

— Match —

— Forum Options —

Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Custom server certificates and certificate validation
May 3, 2023
7:47, EEST
Forum Posts: 5
Member Since:
March 28, 2023
sp_UserOfflineSmall Offline


I’ve been trying to set up some feature like – server certificate selection and utilizing our own trust store for OPCUA cert validation by the server. The onValidate(Cert cert) gives me a Cert file only. The Cert class has a method getCertificate that gets me an X509Certificate and not a certificate chain. It also does not give me a hostname of the client connecting to me. Getting a cert chain (cert and intermediate signing cert) and hostname (for hostname validation) is necessary for making it secure with our application. I had to fool my trust store by making an array (chain) out of that single x509 cert, but it warns me about missing values. Does the SDK validate the hostname internally? Is there a way I could get a cert chain? Smile


May 3, 2023
8:56, EEST
Bjarne Boström
Forum Posts: 941
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline


Multiple things to answer.

Cert chains:
Historically speaking, anything else than self-signed certs have been very rare. In some cases CA certs have been used, but it has been more like one per factory floor, and this CA cert (public key) has then just been copied on all installations. CA certs etc. are slowly becoming more used and the GDS (GlobalDiscoveryServer) will make this easier once we support that. Anyway, at the moment it is not possible to obtain the cert chain. The SDK like wont crash if it gets one, but it will discard the rest of the certs. Thus at the moment it is expected to copy the CA cert public key manually. But this is something we’ll need to improve, just that there has basically not been a need yet.

“It also does not give me a hostname of the client connecting to me”:
In OPC UA only the client side will check the hostname of the server’s cert. Though SDK doesn’t do that yet automatically (might do in some future major version): https://forum.prosysopc.com/forum/opc-ua-java-sdk/using-wildcards-in-subject-alternative-name-for-application-certificate/, but you can check that manually, see sampleconsoleclient MyCertificateValidationListener where CertificateUtils.getDnsOfCertificate(certificate) and CertificateUtils.getIpOfCertificate(certificate) are used. Note that the code itself doesn’t validate it per each connection, just when the cert is to be first accepted, but you could modify that.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
7 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 130

pramanj: 86

ibrahim: 75

rocket science: 72

Sabari: 62

Francesco Zambon: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

fred: 41

Member Stats:

Guest Posters: 0

Members: 651

Moderators: 16

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1415

Posts: 6035

Newest Members:

u310498, ntd, francescac, yahya95, leomajoe, Gus, sdfsdfsdfsd, riatuccker

Moderators: Jouni Aro: 988, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 941, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 25, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 288, Lusetti: 0, Ari-Pekka Soikkeli: 5

Administrators: admin: 1