Hello,

The error is reported by the OPC UA client application that you’re using. We are not the makers of the mentioned client application so we cannot know right away why the validation fails. To even give you a hint, we would need to know the exact error code that you receive. As an example, you might receive error stating Bad_CertificateTimeInvalid or Bad_CertificateUntrusted. Mentioning “BadCertificate” does not give us any meaningful information.

Furthermore, what is the Client application that you’re using? Have you made sure it even supports the HTTPS communication? The binary TCP communication is much more widely used than the HTTPS communication. Only few OPC UA client applications actually support HTTPS.

Hi Shwetak,

Allright, thank you for the information. If I understood correctly, we are now talking about the example client application supplied together with OPC Foundation’s .NET stack. These sample applications will indeed support HTTPS communication. The error probably happens because the client application does not trust the CA certificate of Simulation Server.

To answer your original question:
1) You need to obtain the SimulationServerCA.der file from the Prosys OPC UA Simulation Server installation. This file resides in “PKI\CA\private” folder. Simulation Server manual chapter “File locations” explains the exact locations.
2) You need to place this CA certificate into the trust store of the client application. For exact instructions, please see the client application documentation. I’m not an expert on OPC Foundation documentation, but this page seems to explain the concepts: https://opcfoundation.github.io/UA-.NET/help/https_connectivity.htm
3) Now the connection should work.

This manual trusting is necessary because the Prosys OPC UA Simulation Server application instance certificates are not signed by a “real” Certificate Authority, but instead they are self-signed.

To answer your second question “please guide me to establish HTTPS communication between ProSys server and ProSys Client”:

You only need to place the connection url to the client applications’s address bar at the top of the window. On the right hand side of the address bar, there is a button for connecting and disconnecting with the server. With Prosys OPC UA Client and Prosys OPC UA Simulation Server, the https connection will work without trusting any certificates manually.

Hi Shwetak,

Thank you for a good explanation. As you already mentioned yourself, the error message “Could not load private key” happens because the password is wrong. If I understood correctly, you tried to use Prosys OPC UA Simulation Server application instance certificate as the user authentication certificate. The reason why this failed is that the password for the private key is not “opcua”.

At this point it’s good to note that the application instance certificates are not meant to be used as user certificates. The correct way would be to provide some separate user-level certificates which are unique to each user. As an example, you could create X509 certificates with OpenSSL and use them to authenticate.

However, you can technically use the application instance certificate also for the user level authentication. For Prosys OPC UA Client, these are the files “ProsysOpcUaClient.der” and “ProsysOpcUaClient.pem”. Password for the pem file is “opcua”.

The error message “Server rejected selected identification” means that the server does not trust the selected user certificate. In other words, you can find the user certificate at “SimulationServer\USERS_PKI\CA
ejected” folder. Then you need to manually move this certificate to the “SimulationServer\USERS_PKI\CA\certs” folder. After this, the Simulation Server trusts this user certificate and the connection is succesful.