14:08, EET
November 6, 2024
Hello, everyone.
Been developing an OPC UA Client to integrate with the Coreflux MQTT broker and I’m currently stuck when trying to acess with a UserIdentityCertificate.
Authenticate with Anonymous or UserPass + SecurityPolicy and SecurityMessageMode works fine. So using the Application certificates is working fine.
I generated this .pfx certificate:
client_cert.pem client_cert.pfx client_csr.pem client_private_key.pem
and I’m passing to the .prosysopc/prosys-opc-ua-simulation-server/USERS_PKI/CA/certs the client_cert.pem
with this code:
if (this.Properties.AuthMode == AuthModeType.Certificate)
{
// Load .pfx file with password
if (!Path.GetExtension(this.Properties.UserCertificatePath).Equals(“.pfx”, StringComparison.OrdinalIgnoreCase))
throw new ArgumentException(“Only .pfx certificate files are supported.”);
//X509Certificate2 userCertificate = new X509Certificate2(this.Properties.UserCertificatePath, this.Properties.CertificatePassword);
X509Certificate2 userCertificate = new X509Certificate2(
this.Properties.UserCertificatePath,
this.Properties.CertificatePassword,
X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet
);
userIdentity = new UserIdentity(userCertificate);
Console.WriteLine($”—————————– {userCertificate.HasPrivateKey}”);
Console.WriteLine($”>>>>>>>>>>>>>>> Using certificate: {userCertificate.Thumbprint}”);
Console.WriteLine($”User Identity Type: {userIdentity.TokenType}”);
}
im always getting this so I believe everything is working fine in the code abovet:
—————————– True
>>>>>>>>>>>>>>> Using certificate: 185EC24E95206B9E3524ACC07A37CBED83339409
User Identity Type: Certificate
but then in the last part when i try to establish the session with the OPC UA server: this.Session = await Session.Create(config, configuredEndpoint, false, “OpcUaClientSession”, this.Properties.Timeout, userIdentity, null);
I get this error message: BadIdentityTokenRejected
I think the code is fine maybe I’m just passing the wrong file to the USERS_PKI/CA/certs. Let me know what your thoughts regarding my problem please.
Many thanks in advance.
14:54, EET
Moderators
February 11, 2020
Hello,
The user certificate you put to USERS_PKI/CA/certs folder needs to be in DER-format. Your certificate is in PEM-format (at least its filename would suggest that), so Simulation Server is unable to open it.
You can find advice on how to convert PEM to DER here: https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions/
17:34, EET
November 6, 2024
First of all, thanks Matti for your quick response.
I transformed my .pem file to .der and added it to the USERS_PKI/CA/certs but the problem is still here… BadIdentityTokenRejected.
Other thing is that when i used the SecurityPolicy and MessageSecurityMode my clients certificate appeared in the Certificates tab, but this UserIdentityCertificate doesnt appear.
I’m creating my certificate as self-signed. Is it ok or should be authenticated by a CA?
Should I only place the .der certificate USERS_PKI/CA/certs, or should I add a certificate to the client stores?
Do you recomend me a website that have all the correct steps to create the certificate needed for the server to accept it?
Once again, thanks in advance
9:16, EET
Moderators
February 11, 2020
Hello,
The Certificates tab contains only Application Instance Certificates. User Certificates are not shown in the tab.
Make sure a copy of the User Certificate is not in the “.prosysopc\prosys-opc-ua-simulation-server\USERS_PKI\CA
ejected” folder. If the certificate is in both folder, it will be treated as rejected. Only the DER-version of the certificate needs to be placed in the certs folder, other files are ignored. And you do not need to place the certificate anywhere else.
User Certificates can be self-signed. In general, our certificate validation process is similar for both Application Instance Certificates and User Certificates. A valid Application Instance Certificate is defined in the OPC UA specification: https://reference.opcfoundation.org/Core/Part6/v105/docs/6.2.2
If you can create a certificate that satisfies these conditions and place it in the correct folder, you should be able to use it to activate a Session.
13:53, EET
November 6, 2024
Hello Matty, I’ve founded out the problem 😅
Basically the problem was in the way that I was creating the user identity certificate. It was missing a “Digital Signature” and “Client Authentication.”
It seems like the certificate needs to have the right usage and extensions.
Fixed this by creating an openssl.cnf.
I have found this stackoverflow question that was helpfull to create the necessary certificate. https://stackoverflow.com/questions/64287152/how-to-connect-to-an-opc-ua-server-which-requires-certificate-based-user-authent
Once again thank you for your time and keep up the good work!
Most Users Ever Online: 1919
Currently Online:
18 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 724
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1526
Posts: 6457
Newest Members:
forrestdilke5, ernestoportus31, martin123, rickie5305, shaylamaggard4, rickyjuarez140, jonathonmcintyre, fannielima, kristiewinkle8, rustModerators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1028, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0
Administrators: admin: 1