Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Cant authenticate when trying to login with UserIdentityCertificate
November 6, 2024
14:08, EET
Avatar
RafaelS
Member
Members
Forum Posts: 3
Member Since:
November 6, 2024
sp_UserOfflineSmall Offline

Hello, everyone.
Been developing an OPC UA Client to integrate with the Coreflux MQTT broker and I’m currently stuck when trying to acess with a UserIdentityCertificate.

Authenticate with Anonymous or UserPass + SecurityPolicy and SecurityMessageMode works fine. So using the Application certificates is working fine.

I generated this .pfx certificate:
client_cert.pem client_cert.pfx client_csr.pem client_private_key.pem

and I’m passing to the .prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/certs the client_cert.pem

with this code:
if (this.Properties.AuthMode == AuthModeType.Certificate)
{
// Load .pfx file with password
if (!Path.GetExtension(this.Properties.UserCertificatePath).Equals(“.pfx”, StringComparison.OrdinalIgnoreCase))
throw new ArgumentException(“Only .pfx certificate files are supported.”);

//X509Certificate2 userCertificate = new X509Certificate2(this.Properties.UserCertificatePath, this.Properties.CertificatePassword);
X509Certificate2 userCertificate = new X509Certificate2(
this.Properties.UserCertificatePath,
this.Properties.CertificatePassword,
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet
);
userIdentity = new UserIdentity(userCertificate);
Console.WriteLine($”—————————– {userCertificate.HasPrivateKey}”);
Console.WriteLine($”>>>>>>>>>>>>>>> Using certificate: {userCertificate.Thumbprint}”);
Console.WriteLine($”User Identity Type: {userIdentity.TokenType}”);

}

im always getting this so I believe everything is working fine in the code abovet:

—————————– True
>>>>>>>>>>>>>>> Using certificate: 185EC24E95206B9E3524ACC07A37CBED83339409
User Identity Type: Certificate

but then in the last part when i try to establish the session with the OPC UA server: this.Session = await Session.Create(config, configuredEndpoint, false, “OpcUaClientSession”, this.Properties.Timeout, userIdentity, null);
I get this error message: BadIdentityTokenRejected

I think the code is fine maybe I’m just passing the wrong file to the USERS_PKI/CA/certs. Let me know what your thoughts regarding my problem please.
Many thanks in advance.

November 6, 2024
14:54, EET
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 346
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline

Hello,

The user certificate you put to USERS_PKI/CA/certs folder needs to be in DER-format. Your certificate is in PEM-format (at least its filename would suggest that), so Simulation Server is unable to open it.

You can find advice on how to convert PEM to DER here: https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/

November 6, 2024
17:34, EET
Avatar
RafaelS
Member
Members
Forum Posts: 3
Member Since:
November 6, 2024
sp_UserOfflineSmall Offline

First of all, thanks Matti for your quick response.

I transformed my .pem file to .der and added it to the USERS_PKI/CA/certs but the problem is still here… BadIdentityTokenRejected.

Other thing is that when i used the SecurityPolicy and MessageSecurityMode my clients certificate appeared in the Certificates tab, but this UserIdentityCertificate doesnt appear.

I’m creating my certificate as self-signed. Is it ok or should be authenticated by a CA?

Should I only place the .der certificate USERS_PKI/CA/certs, or should I add a certificate to the client stores?

Do you recomend me a website that have all the correct steps to create the certificate needed for the server to accept it?

Once again, thanks in advance

November 7, 2024
9:16, EET
Avatar
Matti Siponen
Moderator
Members

Moderators
Forum Posts: 346
Member Since:
February 11, 2020
sp_UserOfflineSmall Offline

Hello,

The Certificates tab contains only Application Instance Certificates. User Certificates are not shown in the tab.

Make sure a copy of the User Certificate is not in the “.prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA
ejected” folder. If the certificate is in both folder, it will be treated as rejected. Only the DER-version of the certificate needs to be placed in the certs folder, other files are ignored. And you do not need to place the certificate anywhere else.

User Certificates can be self-signed. In general, our certificate validation process is similar for both Application Instance Certificates and User Certificates. A valid Application Instance Certificate is defined in the OPC UA specification: https://reference.opcfoundation.org/Core/Part6/v105/docs/6.2.2

If you can create a certificate that satisfies these conditions and place it in the correct folder, you should be able to use it to activate a Session.

November 7, 2024
13:53, EET
Avatar
RafaelS
Member
Members
Forum Posts: 3
Member Since:
November 6, 2024
sp_UserOfflineSmall Offline

Hello Matty, I’ve founded out the problem šŸ˜…

Basically the problem was in the way that I was creating the user identity certificate. It was missing a “Digital Signature” and “Client Authentication.”
It seems like the certificate needs to have the right usage and extensions.

Fixed this by creating an openssl.cnf.

I have found this stackoverflow question that was helpfull to create the necessary certificate. https://stackoverflow.com/questions/64287152/how-to-connect-to-an-opc-ua-server-which-requires-certificate-based-user-authent

Once again thank you for your time and keep up the good work!

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
58 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 734

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1523

Posts: 6449

Newest Members:

christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism, biancacraft16, edgardo3518

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Bostrƶm: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0

Administrators: admin: 1