The URI specified in the ApplicationDescription does not match the URI in the Certificate. | OPC UA SDK for JavaProsys Forum

Please consider registering
guest

Forum

OPC UA SDK for Java
sp_ArrowRight

The URI specified in the ApplicationDescription does not match the URI in the Certificate.

Topic RSS

The URI specified in the ApplicationDescription does not match the URI in the Certificate.

September 4, 2017
15:51, EEST

patduflot

Member

Members

Forum Posts: 6

Member Since:
May 16, 2017

Offline

Hello,

I have this error when trying to connect to OPC-UA server using ProSys Java client SDK. Using the same certificate in UaExpert works, so I guess the issue is with my code. The server is a B&R CPU. I cannot figure out which part of the certificate should match the URI in the application description. Neither if it has to match something in the client or the server certificate.

Here are the commands used to generate the certificate:
# Create RootCA cert
openssl genrsa -des3 -out ./certs/OpcUa_CA_key.key 2048
openssl req -x509 -new -nodes -key ./certs/OpcUa_CA_key.key -days 3000 -out ./certs/OpcUA_CA.pem -config OpcUA_openssl.cfg -extensions v3_req
openssl x509 -outform der -in ./certs/OpcUA_CA.pem -out ./certs/OpcUA_CA.der
cp ./certs/OpcUA_CA.der ./certs/OpcUA_CA.cer
cp ./certs/OpcUA_CA_key.key ./certs/OpcUA_CA_key.pem

# Create Server cert
openssl genrsa -out ./certs/OpcUa_Server_key.key 2048
openssl req -new -key ./certs/OpcUa_Server_key.key -out ./certs/OpcUa_Server.csr
openssl x509 -req -in ./certs/OpcUa_Server.csr -CA ./certs/OpcUA_CA.pem -CAkey ./certs/OpcUA_CA_key.key -CAcreateserial -out ./certs/OpcUa_Server.der -outform der -days 3000 -extfile OpcUA_openssl.cfg -extensions v4_req
cp ./certs/OpcUa_Server.der ./certs/OpcUa_Server.cer
cp ./certs/OpcUa_Server_key.key ./certs/OpcUa_Server_key.pem

# Create App cert
openssl genrsa -out ./certs/OpcUa_Client_key.key 2048
openssl req -new -key ./certs/OpcUa_Client_key.key -out ./certs/OpcUa_Client.csr
openssl x509 -req -in ./certs/OpcUa_Client.csr -CA ./certs/OpcUA_CA.pem -CAkey ./certs/OpcUA_CA_key.key -CAcreateserial -out ./certs/OpcUa_Client.der -outform der -days 3000 -extfile OpcUA_openssl.cfg -extensions v4_req
cp ./certs/OpcUa_Client.der ./certs/OpcUa_Client.cer
cp ./certs/OpcUa_Client_key.key ./certs/OpcUa_Client_key.pem

Here is the client code:

ApplicationIdentity identity = new ApplicationIdentity([path to the cert generated above], [path to the pkey generated above], “mypass”);
identity.getApplicationDescription().setApplicationName(new LocalizedText(OpcUtils.getAppName(), Locale.ENGLISH));
identity.getApplicationDescription().setApplicationUri(“urn:pms-stubbed”);
identity.getApplicationDescription().setProductUri(“urn:pms-stubbed”);
identity.getApplicationDescription().setApplicationType(ApplicationType.Client);

Note: I used ‘urn:pms-stubbed’ as common name to generate my client CSR.

Can you help?

Thanks,

Patrick

September 5, 2017
12:34, EEST

Bjarne Boström

Moderator

Moderators

Forum Posts: 983

Member Since:
April 3, 2012

Offline

Hi,

The Subject Alternative Name part of the certificate must have
URL=(application uri)

And the ApplicationDescription.ApplicationUri must be the same.

Either side might reject the connection unless this is done. It is also the default behaviour of the Java SDK. Howerver if needed, you add a CertificateValidationListener to the PkiFileBasedCertificateValidator to change this, see MyCertificateValidationListener class for the SampleConsoleClient example.

– Bjarne

September 25, 2017
16:46, EEST

patduflot

Member

Members

Forum Posts: 6

Member Since:
May 16, 2017

Offline

I implemented the CertificateValidator interface. I return Status.GOOD always. I gave this implementation to
UaClient.setCertificateValidator(CertificateValidator);
and UaClient.getHttpsSettings().setCertificateValidator(CertificateValidator);

However, this implementation never get called. It looks that the request fails earlier and deeper in the opcfoundation stack:

Caused by: org.opcfoundation.ua.common.ServiceFaultException: ServiceFault: Bad_CertificateUriInvalid (0x80170000) “The URI specified in the ApplicationDescription does not match the URI in the Certificate.”
Diagnostic Info:
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.serviceRequest(Unknown Source)
at org.opcfoundation.ua.transport.tcp.io.SecureChannelTcp.serviceRequest(Unknown Source)
at org.opcfoundation.ua.application.Client.createSession(Unknown Source)

September 25, 2017
17:26, EEST

Bjarne Boström

Moderator

Moderators

Forum Posts: 983

Member Since:
April 3, 2012

Offline

Hi,

That would indicate that the the server side did reject the connection.

– Bjarne

September 25, 2017
19:46, EEST

patduflot

Member

Members

Forum Posts: 6

Member Since:
May 16, 2017

Offline

Hi,

I set the application URI to the Subject Alternate name and now, both client and server are happy.
The problem I have now is to validate the server certificate.
I wanted to allow connection only to servers that present a certificate signed by defined CA.
How can I get the full chain of certificates of the server?
Applicationdentity.getCertificate() contains only the last certifictae of the chain no?
ApplicationIdentity.getCertificate().getCertificate().getIssuerX500Principal() give me more information about the issuer but not really the CA public certificate. Is it enough to check this part?

Thanks,

Patrick

September 26, 2017
10:26, EEST

Heikki Tahvanainen

Moderator

Members

Moderators

Forum Posts: 402

Member Since:
April 17, 2013

Offline

Hi,

You could use the ‘verify’ method in this case, meaning:

certificate.getCertificate().verify(key);

where the ‘key’ would be the public key of the CA certificate.

However, it’s good to note that the default example implementation PkiFileBasedCertificateValidator already handles this validation task. You only need to place the trusted CA certificates in the PKI/CA/certs folder. After this, the client side PkiFileBasedCertificateValidator will check if server application instance certificate is signed by one of these trusted CAs.

Do you have some reason not to use the PkiFileBasedCertificateValidator approach? Of course there are many possible reasons for overriding this basic implementation but they haven’t been explained yet. In an earlier post Bjarne mentioned that you can change the default behaviour with CertificateValidationListener attached to PkiFileBasedCertificateValidator with PkiFileBasedCertificateValidator.setValidationListener method. But he did not mean to say that you should implement all functionality yourself.

Also, just to mention the subject, please see the chapter “5.4 Validating Server Certificates” in the client tutorial if you haven’t done it yet.

September 26, 2017
16:56, EEST

patduflot

Member

Members

Forum Posts: 6

Member Since:
May 16, 2017

Offline

Thank you, everything is setup correclty now! Laugh

All RSS

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
14 Guest(s)

Currently Browsing this Page:
1 Guest(s)