Log In
Register
Topic RSS
12:03, EET
March 16, 2017
Offline
Hi,
when trying to connect to a server, I get following exception:
com.prosysopc.ua.ServiceException: Invalid server certificate ServiceResult=Bad_CertificateChainIncomplete (0x810D0000) “The certificate chain is incomplete.” Diagnostics=Diagnostic Info:
Invalid server certificate
com.prosysopc.ua.ServiceException: Invalid server certificate
at com.prosysopc.ua.client.UaClient.av(SourceFile:6314)
at com.prosysopc.ua.client.UaClient.connect(SourceFile:1011)
Used version is: 4.10.2-62
Does this mean the certificate on the server is incorrect?
Is there any way to avoid this?
Thank you!
12:56, EET
Moderators
February 11, 2020
Offline
Hello,
The certificate is part of a certificate chain. You will need to somehow get the rest of the certificates in the chain and put them to issuer certificate store. Most likely this means copying the issuer certificate files to the issuer certificate store folder on the disk.
For an example of defining the issuer certificate store in SampleConsoleServer, see
https://documentation.prosysop…..l#line.698
If you can trust the issuer certificates, you can copy them to the application certificate store instead.
That being said, there might be other problems in the certificate you’re attempting to validate on in the issuer certificates, so there could be further steps required after you’ve provided rest of the chain for validation.
13:46, EET
March 16, 2017
Offline
Matti Siponen said
The certificate is part of a certificate chain. You will need to somehow get the rest of the certificates in the chain and put them to issuer certificate store. Most likely this means copying the issuer certificate files to the issuer certificate store folder on the disk.
So by ‘copying the issuer certificate files to the issuer certificate store folder on the disk.’ you mean on the OpcUa Server, right?
14:46, EET
April 3, 2012
Offline
Hi,
No, we meant on the client side disk.
(Though yes the linked sample happened to be the sampleconsoleserver due to things, but it was meant for a more general point of how to init the store properly, https://documentation.prosysop…..#line.1453 this is the client version, but SDK uses same implementation for both sides)
Client gives that error if it could not find the CA certificate used to sign the server-sent certificate (more specifically, all certs used in the whole signing chain, typically there is 2, CA+Leaf, but could e.g. have 3 RootCA, IntermediateCA, Leaf, or more). You must add it/them so that the client knows it. This can be either done by doing the issuers store and ‘PKI/CA/issuers/certs’ or for the normal store ‘PKI/CA/certs’. Using the issuers store doesn’t convey trust to the CA itself, it will only be used for chain validation (and if a revocation list has been added, that as well). Using the normal store causes the client to trust all certs signed by that CA.
This is somewhat due to history because having non-self-signed certs is really rare. If you would have CA-signed certs, then typically one CA is made for a “factory floor” and used to sign all applications (and then one would have that CA cert in the normal store so apps trust eachothers automatically).
SDK 5.5.0 added some initial support for even understanding cert chains, but for now it was mostly for sending one, as far as I remember. Though, even in the future not all servers might send the full chain, even if they use a CA-signed cert.
In most cases you should be able to ask the server maintainer, or if you have access to the machine running the server, typically it would be next to the server’s normal certificate file. Or if not, then ask the maintainer to ask the one who created the certificate.
2 Guest(s)
