14:08, EET
November 6, 2024
Hello, everyone.
Been developing an OPC UA Client to integrate with the Coreflux MQTT broker and I’m currently stuck when trying to acess with a UserIdentityCertificate.
Authenticate with Anonymous or UserPass + SecurityPolicy and SecurityMessageMode works fine. So using the Application certificates is working fine.
I generated this .pfx certificate:
client_cert.pem client_cert.pfx client_csr.pem client_private_key.pem
and I’m passing to the .prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/certs the client_cert.pem
with this code:
if (this.Properties.AuthMode == AuthModeType.Certificate)
{
// Load .pfx file with password
if (!Path.GetExtension(this.Properties.UserCertificatePath).Equals(“.pfx”, StringComparison.OrdinalIgnoreCase))
throw new ArgumentException(“Only .pfx certificate files are supported.”);
//X509Certificate2 userCertificate = new X509Certificate2(this.Properties.UserCertificatePath, this.Properties.CertificatePassword);
X509Certificate2 userCertificate = new X509Certificate2(
this.Properties.UserCertificatePath,
this.Properties.CertificatePassword,
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet
);
userIdentity = new UserIdentity(userCertificate);
Console.WriteLine($”—————————– {userCertificate.HasPrivateKey}”);
Console.WriteLine($”>>>>>>>>>>>>>>> Using certificate: {userCertificate.Thumbprint}”);
Console.WriteLine($”User Identity Type: {userIdentity.TokenType}”);
}
im always getting this so I believe everything is working fine in the code abovet:
—————————– True
>>>>>>>>>>>>>>> Using certificate: 185EC24E95206B9E3524ACC07A37CBED83339409
User Identity Type: Certificate
but then in the last part when i try to establish the session with the OPC UA server: this.Session = await Session.Create(config, configuredEndpoint, false, “OpcUaClientSession”, this.Properties.Timeout, userIdentity, null);
I get this error message: BadIdentityTokenRejected
I think the code is fine maybe I’m just passing the wrong file to the USERS_PKI/CA/certs. Let me know what your thoughts regarding my problem please.
Many thanks in advance.
14:54, EET
Moderators
February 11, 2020
Hello,
The user certificate you put to USERS_PKI/CA/certs folder needs to be in DER-format. Your certificate is in PEM-format (at least its filename would suggest that), so Simulation Server is unable to open it.
You can find advice on how to convert PEM to DER here: https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/
17:34, EET
November 6, 2024
First of all, thanks Matti for your quick response.
I transformed my .pem file to .der and added it to the USERS_PKI/CA/certs but the problem is still here… BadIdentityTokenRejected.
Other thing is that when i used the SecurityPolicy and MessageSecurityMode my clients certificate appeared in the Certificates tab, but this UserIdentityCertificate doesnt appear.
I’m creating my certificate as self-signed. Is it ok or should be authenticated by a CA?
Should I only place the .der certificate USERS_PKI/CA/certs, or should I add a certificate to the client stores?
Do you recomend me a website that have all the correct steps to create the certificate needed for the server to accept it?
Once again, thanks in advance
Most Users Ever Online: 1919
Currently Online:
13 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 736
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1518
Posts: 6426
Newest Members:
manual58d7237, RafaelS, charissa0814, christischippers, NikeGlync, chelseythorson, Williamalugs, doyleweddle42, berdeadoZet, gidgertrudeModerators: Jouni Aro: 1024, Pyry: 1, Petri: 0, Bjarne Boström: 1021, Jimmy Ni: 26, Matti Siponen: 343, Lusetti: 0
Administrators: admin: 1