Avatar
Please consider registering
guest
sp_LogInOut Log Insp_Registration Register
Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
sp_Search Search
Go to Bottom
sp_Feed Topic RSSsp_TopicIcon
PKCS#1 vs PKCS#8 Certificate Support for User authentication in Prosys OPC UA SDK 5.2.6 & Simulator Server 5.5.4
August 13, 2025
8:47, EEST
Avatar
Krishnavarma
New Member
Members
Forum Posts: 2
Member Since:
September 28, 2024
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

We have developed an OPC UA connector using Prosys OPC UA Java SDK 5.2.6. The server we are testing against is Prosys OPC UA Simulation Server 5.5.4-384, with all security modes enabled (Anonymous, UserName/Password, and Certificate).

Our setup and observations are as follows:

Client Certificates:
We are using self-signed certificates along with a private key and password to connect to the server.
The certificates are generated in PKCS#1 format (encrypted) and PKCS#8 format for testing.

Observed Behavior:
When using PKCS#1 encrypted certificates, the server rejects the connection with Bad_IdentityTokenRejected.
The rejected certificate does not appear in the Simulation Server’s RejectedCertificates folder.
When using PKCS#8 certificates, our OPC UA client (built with SDK 5.2.6) fails to process them.
To verify further, we tested the same certificates with Prosys OPC UA Browser 5.1.2-267:
The browser accepts only PKCS#1 certificates, not PKCS#8.
The Simulation Server accepts PKCS#1 certificates only if they are not encrypted. If PKCS#1 is encrypted (with password), the server rejects the user token.

Questions:

What certificate formats (PKCS#1, PKCS#8, encrypted vs unencrypted) are officially supported by:
Prosys OPC UA SDK 5.2.6 (client side)
Prosys OPC UA Simulation Server 5.5.4 (server side)
Are there known constraints or compatibility issues with password-protected PKCS#1 keys in the Simulation Server?
Is there a recommended certificate format for mutual authentication with encryption enabled?

August 13, 2025
14:07, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1067
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Hi,

There is some ambiquity do you mean connection certificates (i.e. ApplicationInstanceCertificates) or user authentication certificates. Or both. ApplicationInstanceCertificates are used for connection i.e. OpenSecureChannel and both sides must trust eachother for the secure channel to be formed. User authentication certs are used in ActivateSession, similar to having a username+password (or think when using e.g. Git versioning).

The Simulation Server’s Certificates tab only shows connection certs, not user authentication certs (this was added much later). User certs must be handled via the filesystem, check in USER_HOME_DIRECTORY\.prosysopc\prosys-opc-ua-simulation-server\USERS_PKI (possibly you checked prosys-opc-ua-simulation-server\PKI only) . The Bad_IdentityTokenRejected would indicate that the cert was rejected, i.e. most likely it is not inside USERS_PKI\CA\certs (but it should be inside rejected folder next to the certs one). Ensure it is not in both certs and rejected folder.

Some terms in this topic in general can be used a bit loosely, but in short there is the public and private key parts of a keypair. Certificate is the public key part with additional info such as signatures and so on. The private key is completely separate from the certificate (but is needed to sign+encrypt data, which can be verified using the public key). The private key is never transmitted. For the certificate, i.e. public parts to my knowledge “do not contain any encryption”. The only encrypted part can be the private key. Or some storage formats do combine the 2 and that could maybe be encrypted, but we basically do not support those. The only properly tested way is the certiticate as a .der file and the private key as a .pem file.

Regarding loading a .pem + PKCS#8 we have at least one known not-yet-fixed issue that it doesn’t work for some encrypted format. It should be noted that previously it was assumed for .pem to “be a format of itself”. Anyway, if the .pem is opened in a text editor it should look something like this and then it should work:
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,48A0F4AD3AE1975200E78CB7F8075BC2

GuyZQi…
for a password-protected key. For a non-password protected key it would look like:
—–BEGIN RSA PRIVATE KEY—–
MIIEvA…

most likely that is “PKCS#1” format.

Regarding your questions, there shouldn’t be any difference of supported key types regarding client or server.

User certs do not have “mutual authentication”, so for that I assume you mean connection certs. 2048 bit RSA keys work with all currently used security policies, those are also what our apps make. That is also the default in our samples and when not giving any size for the SDK. Note that in the future there can be also ECC keys, but we do not yet support them (but as far we know they aren’t used out there either yet).

sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki
Most Users Ever Online: 1919
Currently Online:
Guest(s) 62
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 100
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 773
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1558
Posts: 6567
Newest Members:
willardmackellar, vnedrenie_koPi, shaylaholton205, PhilesiaGen, rosaurathiel524, Arthurobext, stefanmacneil3, ralni, illuminationscanada, PhillipGit
Moderators: Jouni Aro: 1039, Pyry: 1, Petri: 1, Bjarne Boström: 1054, Jimmy Ni: 26, Matti Siponen: 359, Lusetti: 0
Administrators: admin: 1