15:51, EEST
May 16, 2017
Hello,
I have this error when trying to connect to OPC-UA server using ProSys Java client SDK. Using the same certificate in UaExpert works, so I guess the issue is with my code. The server is a B&R CPU. I cannot figure out which part of the certificate should match the URI in the application description. Neither if it has to match something in the client or the server certificate.
Here are the commands used to generate the certificate:
# Create RootCA cert
openssl genrsa -des3 -out ./certs/OpcUa_CA_key.key 2048
openssl req -x509 -new -nodes -key ./certs/OpcUa_CA_key.key -days 3000 -out ./certs/OpcUA_CA.pem -config OpcUA_openssl.cfg -extensions v3_req
openssl x509 -outform der -in ./certs/OpcUA_CA.pem -out ./certs/OpcUA_CA.der
cp ./certs/OpcUA_CA.der ./certs/OpcUA_CA.cer
cp ./certs/OpcUA_CA_key.key ./certs/OpcUA_CA_key.pem
# Create Server cert
openssl genrsa -out ./certs/OpcUa_Server_key.key 2048
openssl req -new -key ./certs/OpcUa_Server_key.key -out ./certs/OpcUa_Server.csr
openssl x509 -req -in ./certs/OpcUa_Server.csr -CA ./certs/OpcUA_CA.pem -CAkey ./certs/OpcUA_CA_key.key -CAcreateserial -out ./certs/OpcUa_Server.der -outform der -days 3000 -extfile OpcUA_openssl.cfg -extensions v4_req
cp ./certs/OpcUa_Server.der ./certs/OpcUa_Server.cer
cp ./certs/OpcUa_Server_key.key ./certs/OpcUa_Server_key.pem
# Create App cert
openssl genrsa -out ./certs/OpcUa_Client_key.key 2048
openssl req -new -key ./certs/OpcUa_Client_key.key -out ./certs/OpcUa_Client.csr
openssl x509 -req -in ./certs/OpcUa_Client.csr -CA ./certs/OpcUA_CA.pem -CAkey ./certs/OpcUA_CA_key.key -CAcreateserial -out ./certs/OpcUa_Client.der -outform der -days 3000 -extfile OpcUA_openssl.cfg -extensions v4_req
cp ./certs/OpcUa_Client.der ./certs/OpcUa_Client.cer
cp ./certs/OpcUa_Client_key.key ./certs/OpcUa_Client_key.pem
Here is the client code:
ApplicationIdentity identity = new ApplicationIdentity([path to the cert generated above], [path to the pkey generated above], “mypass”);
identity.getApplicationDescription().setApplicationName(new LocalizedText(OpcUtils.getAppName(), Locale.ENGLISH));
identity.getApplicationDescription().setApplicationUri(“urn:pms-stubbed”);
identity.getApplicationDescription().setProductUri(“urn:pms-stubbed”);
identity.getApplicationDescription().setApplicationType(ApplicationType.Client);
Note: I used ‘urn:pms-stubbed’ as common name to generate my client CSR.
Can you help?
Thanks,
Patrick
12:34, EEST
April 3, 2012
Hi,
The Subject Alternative Name part of the certificate must have
URL=(application uri)
And the ApplicationDescription.ApplicationUri must be the same.
Either side might reject the connection unless this is done. It is also the default behaviour of the Java SDK. Howerver if needed, you add a CertificateValidationListener to the PkiFileBasedCertificateValidator to change this, see MyCertificateValidationListener class for the SampleConsoleClient example.
– Bjarne
16:46, EEST
May 16, 2017
I implemented the CertificateValidator interface. I return Status.GOOD always. I gave this implementation to
UaClient.setCertificateValidator(CertificateValidator);
and UaClient.getHttpsSettings().setCertificateValidator(CertificateValidator);
However, this implementation never get called. It looks that the request fails earlier and deeper in the opcfoundation stack:
Caused by: org.opcfoundation.ua.common.ServiceFaultException: ServiceFault: Bad_CertificateUriInvalid (0x80170000) “The URI specified in the ApplicationDescription does not match the URI in the Certificate.”
Diagnostic Info:
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.serviceRequest(Unknown Source)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.serviceRequest(Unknown Source)
at org.opcfoundation.ua.application.Client.createSession(Unknown Source)
17:26, EEST
April 3, 2012
19:46, EEST
May 16, 2017
Hi,
I set the application URI to the Subject Alternate name and now, both client and server are happy.
The problem I have now is to validate the server certificate.
I wanted to allow connection only to servers that present a certificate signed by defined CA.
How can I get the full chain of certificates of the server?
Applicationdentity.getCertificate() contains only the last certifictae of the chain no?
ApplicationIdentity.getCertificate().getCertificate().getIssuerX500Principal() give me more information about the issuer but not really the CA public certificate. Is it enough to check this part?
Thanks,
Patrick
10:26, EEST
April 17, 2013
Hi,
You could use the ‘verify’ method in this case, meaning:
where the ‘key’ would be the public key of the CA certificate.
However, it’s good to note that the default example implementation PkiFileBasedCertificateValidator already handles this validation task. You only need to place the trusted CA certificates in the PKI/CA/certs folder. After this, the client side PkiFileBasedCertificateValidator will check if server application instance certificate is signed by one of these trusted CAs.
Do you have some reason not to use the PkiFileBasedCertificateValidator approach? Of course there are many possible reasons for overriding this basic implementation but they haven’t been explained yet. In an earlier post Bjarne mentioned that you can change the default behaviour with CertificateValidationListener attached to PkiFileBasedCertificateValidator with PkiFileBasedCertificateValidator.setValidationListener method. But he did not mean to say that you should implement all functionality yourself.
Also, just to mention the subject, please see the chapter “5.4 Validating Server Certificates” in the client tutorial if you haven’t done it yet.
Most Users Ever Online: 1919
Currently Online:
17 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 730
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1529
Posts: 6471
Newest Members:
toneylapham544, rondawolinski7, Marypof5711, roycedelargie91, kourtneyquisenbe, ellis87832073466, zkxwilliemae, gabriellabachus, Deakin, KTP25ZofModerators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0
Administrators: admin: 1