Hi,

The intended way is to add a DefaultCertificateValidatorListener as in the sampleconsoleclient example com.prosysopc.ua.samples.client.MyCertificateValidationListener. Then you can e.g. in this case log (or have e.g. in the client side UI popup to accept the cert) when CertificateCheck.Uri is not part of the EnumSet passedChecks. .

In general I should note that we have observed that the current DefaultCertificateValidator is not good enough for all situations, plus some OPC UA 1.05 clarifications means we’ll have to do changes in SDK 5.x that we are working on right now (might not be in the first 5.0.0 release).

Thanks anyway for the note. It would seem we do have a bit mixed logging levels, some of the more recent checks do log on ERROR or WARN, but some of them also cannot be disabled (e.g. such that the x509 cert is of version 3) and some cannot be reacted to, just be disabled. Most of the “older ones” are in DEBUG.

Though, I would lean more towards fixing this by having them all in DEBUG level, at least once it is possible to observed them via the listener. I’m not like 100% sure on this, but if it is in ERROR or WARN, this might just be something outside of your control as a server developer, plus if a client continously would try to connect with such cert it would just flood the logs, which is also not good. That being said, this is exactly what would happen currently if the x509 version would not be ‘3’).