9:04, EET
January 22, 2018
I am using OPC UA Simulation server to test OPC UA client. I am able to access the server using UA tcp, but facing an issue while connecting to server using HTTPS. It gives BadCertificate error with following description :
at Opc.Ua.WcfChannelBase`1.Initialize(ApplicationConfiguration configuration, EndpointDescription description, EndpointConfiguration endpointConfiguration, Binding binding, X509Certificate2 clientCertificate, String configurationName)
at Opc.Ua.SessionChannel.Create(ApplicationConfiguration configuration, EndpointDescription description, EndpointConfiguration endpointConfiguration, X509Certificate2 clientCertificate, ServiceMessageContext messageContext)
at CAS.OPC.UA.Viewer.Controls.SessionTreeCtrl.Connect(ConfiguredEndpoint endpoint)
at CAS.OPC.UA.Viewer.Controls.ClientForm.Connect(ConfiguredEndpoint endpoint)
at CAS.OPC.UA.Viewer.Controls.ClientForm.EndpointSelectorCTRL_ConnectEndpoint(Object sender, ConnectEndpointEventArgs e)
Can you please guide me on how to connect with HTTPS using SSL/TSL certificate. Also share information how to generate CA certificate(dummy certificate for testing) for ProSys simulation server ?
Thanks.
16:56, EET
April 17, 2013
Hello,
The error is reported by the OPC UA client application that you’re using. We are not the makers of the mentioned client application so we cannot know right away why the validation fails. To even give you a hint, we would need to know the exact error code that you receive. As an example, you might receive error stating Bad_CertificateTimeInvalid or Bad_CertificateUntrusted. Mentioning “BadCertificate” does not give us any meaningful information.
Furthermore, what is the Client application that you’re using? Have you made sure it even supports the HTTPS communication? The binary TCP communication is much more widely used than the HTTPS communication. Only few OPC UA client applications actually support HTTPS.
6:45, EET
January 22, 2018
Hi Heikki,
Thanks for reply!
I am using Generic client provided by OPC UA Quick start.
I have also tried to establish HTTPS communication between Prosys simulation server and Prosys Client.
In Prosys client,In user Authentication window, after adding certificate ..\.prosys\SimulationServer\PKI\CA\private\SimulationServer_https.der and key file SimulationServer_https.pem, a pop up appeared for password. In Prosys server there is no field provided to set password for HTTPS certificate. So I tried ‘opcua’ as a password, then error “Could not load private key: Given final block not properly padded” is displayed.
So, Can you please share the steps for generating password for certificate used in HTTPS communication?
or, please guide me to establish HTTPS communication between ProSys server and ProSys Client?
13:07, EET
April 17, 2013
Hi Shwetak,
Allright, thank you for the information. If I understood correctly, we are now talking about the example client application supplied together with OPC Foundation’s .NET stack. These sample applications will indeed support HTTPS communication. The error probably happens because the client application does not trust the CA certificate of Simulation Server.
To answer your original question:
1) You need to obtain the SimulationServerCA.der file from the Prosys OPC UA Simulation Server installation. This file resides in “PKI\CA\private” folder. Simulation Server manual chapter “File locations” explains the exact locations.
2) You need to place this CA certificate into the trust store of the client application. For exact instructions, please see the client application documentation. I’m not an expert on OPC Foundation documentation, but this page seems to explain the concepts: https://opcfoundation.github.io/UA-.NET/help/https_connectivity.htm
3) Now the connection should work.
This manual trusting is necessary because the Prosys OPC UA Simulation Server application instance certificates are not signed by a “real” Certificate Authority, but instead they are self-signed.
To answer your second question “please guide me to establish HTTPS communication between ProSys server and ProSys Client”:
You only need to place the connection url to the client applications’s address bar at the top of the window. On the right hand side of the address bar, there is a button for connecting and disconnecting with the server. With Prosys OPC UA Client and Prosys OPC UA Simulation Server, the https connection will work without trusting any certificates manually.
13:43, EET
January 22, 2018
Hi Heikki
Right now I am tiring to establish HTTPS connection between Prosys Server and Prosys client with User authentication mode set to “Certificate”.
I have configured Prosys server and Client with User authentication mode “Anonymous”, I am able to establish HTTPS connection between Prosys Server and Prosys client .
I have also tried with setting User authentication mode to “Username & password” for both Prosys server and client, I am able to establish HTTPS connection between Prosys Server and Prosys client .
Now, when I tried with setting User authentication mode to “Certificate and private key” for both Prosys server and client, I am facing an issue while establishing connection.
When I am adding certificate and private key from folder PKI\CA\private to User authentication window present in Prosys client, a pop up window appeared for password to access private key file. I am not aware of “which” password. So I entered “opcua”, then private key field set to “Could not load private key: Given final block not properly padded”. If I ignored the password and tried to connecting the server, It gives User identification error window with message: “Server rejected selected identification ( wrong username or password, certificate or private key ” on Prosys Client (I am not able to add snapshot here).
So can you please guide me how to connect HTTPS mode when User authentication mode to “Certificate and private key”, also provide information of password for private key file. Is it possible to you to share your email id so I can share the error snapshot with you.
17:33, EET
April 17, 2013
Hi Shwetak,
Thank you for a good explanation. As you already mentioned yourself, the error message “Could not load private key” happens because the password is wrong. If I understood correctly, you tried to use Prosys OPC UA Simulation Server application instance certificate as the user authentication certificate. The reason why this failed is that the password for the private key is not “opcua”.
At this point it’s good to note that the application instance certificates are not meant to be used as user certificates. The correct way would be to provide some separate user-level certificates which are unique to each user. As an example, you could create X509 certificates with OpenSSL and use them to authenticate.
However, you can technically use the application instance certificate also for the user level authentication. For Prosys OPC UA Client, these are the files “ProsysOpcUaClient.der” and “ProsysOpcUaClient.pem”. Password for the pem file is “opcua”.
The error message “Server rejected selected identification” means that the server does not trust the selected user certificate. In other words, you can find the user certificate at “SimulationServer\USERS_PKI\CA
ejected” folder. Then you need to manually move this certificate to the “SimulationServer\USERS_PKI\CA\certs” folder. After this, the Simulation Server trusts this user certificate and the connection is succesful.
10:40, EET
January 22, 2018
Thanks Heikki,
Finally…I am able to establish HTTPS connection between Prosys server and client, with User authentication mode to “Certificate and private key”.
I have been using the certificate from wrong folder i.e. server’s own certificate present in Private folder instead of client certificate present in cert folder!!!!
Most Users Ever Online: 1919
Currently Online:
18 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 728
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1529
Posts: 6471
Newest Members:
ellis87832073466, zkxwilliemae, gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0
Administrators: admin: 1