Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Setting up CA signed certificate for OPC UA Simulation server
July 19, 2021
16:28, EEST
Avatar
rohanbhosale
New Member
Members
Forum Posts: 2
Member Since:
July 19, 2021
sp_UserOfflineSmall Offline

I’m trying to connect a client to Prosys OPC UA Simulation server using a self signed certificate authority certificate and a certificate signed by this CA certificate for user authentication.
I get an error in the log file – “Bad_IdentityTokenRejected” – “The user identity token is valid but the server has rejected it.”
When going through the logs there is no indication of whether CA or signed certificate is untrusted/invalid. Although I can verify from the windows store that both CA Certificate and the CA-Signed certificate are correctly aligned. Need help in understanding how the certificate chain can be correctly placed in the directories and correctly read by the server.

July 20, 2021
11:45, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1032
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Hi,

The application doesn’t use the windows store.

This causes every cert signed by that CA (that is not revoked) to be trusted:
Put the CA certificate to \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\certs
And put the CRL file of that CA to : \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\crl

If you instead do not want to trust every cert signed by that CA cert:
Put the CA certificate to \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\issuers\certs
And put the CRL file of that CA to : \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\issuers\crl
Put the certificate (that was signed by the CA) to: \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\certs

At the moment the application doesnt support disabling revocation checks, thus you must have the CRL file of that CA cert. The option to disable revocation checks might be added in a future version of the application.

Also, since you have tried the connection, the certs might be in the rejected folder (next to certs folders). In that case you must remove it from there as well (if it is in both it is considered to be rejected).

July 22, 2021
0:41, EEST
Avatar
rohanbhosale
New Member
Members
Forum Posts: 2
Member Since:
July 19, 2021
sp_UserOfflineSmall Offline

thanks that helped. However I will also want to know if physical pki directory is a norm among UA server setups. i.e. sharing certificates in physical files on disk can be an insecure way as compared to registering them in Windows store. Why is windows store not considered an option here?

July 22, 2021
9:10, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 1032
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

Only the public key parts are transmitted and what you should copy, i.e. they are not considered as secrets. The private key parts should never leave the machine where the keypair was generated. Though, sometimes the term “cert” could mean both the whole keypair or just the public key part. In my earlier text I meant just the public key part. We mostly use the .der format for public keys and .pem for private keys. Sometimes (outside of our apps) they could also come in the form where they are combined in a single file, if so you should extract the public key part and only copy that.

The only ‘secret’ here is the server’s own private key for it’s ApplicationInstanceCertificate. That could benefit from some security chip storage, such as a Trusted Platform Module, but for the time being we do not support that. Unless you have something like that I would expect windows store to also be effectively somewhere on the disk.

Also our apps are cross-platform and this directory way work for all of them. Most OPC UA Servers that I have personally seen use something similar, but I also see only a part of the world so to say. The ones that are coded with .NET might support windows store, but that is outside of my expertise.

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 1919

Currently Online:
6 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Heikki Tahvanainen: 402

hbrackel: 144

rocket science: 88

pramanj: 86

Francesco Zambon: 83

Ibrahim: 78

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

Member Stats:

Guest Posters: 0

Members: 726

Moderators: 7

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1529

Posts: 6471

Newest Members:

gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7, franciscagrimwad, adult_gallery

Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0

Administrators: admin: 1