16:28, EEST
July 19, 2021
I’m trying to connect a client to Prosys OPC UA Simulation server using a self signed certificate authority certificate and a certificate signed by this CA certificate for user authentication.
I get an error in the log file – “Bad_IdentityTokenRejected” – “The user identity token is valid but the server has rejected it.”
When going through the logs there is no indication of whether CA or signed certificate is untrusted/invalid. Although I can verify from the windows store that both CA Certificate and the CA-Signed certificate are correctly aligned. Need help in understanding how the certificate chain can be correctly placed in the directories and correctly read by the server.
11:45, EEST
April 3, 2012
Hi,
The application doesn’t use the windows store.
This causes every cert signed by that CA (that is not revoked) to be trusted:
Put the CA certificate to \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\certs
And put the CRL file of that CA to : \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\crl
If you instead do not want to trust every cert signed by that CA cert:
Put the CA certificate to \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\issuers\certs
And put the CRL file of that CA to : \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\issuers\crl
Put the certificate (that was signed by the CA) to: \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\certs
At the moment the application doesnt support disabling revocation checks, thus you must have the CRL file of that CA cert. The option to disable revocation checks might be added in a future version of the application.
Also, since you have tried the connection, the certs might be in the rejected folder (next to certs folders). In that case you must remove it from there as well (if it is in both it is considered to be rejected).
0:41, EEST
July 19, 2021
9:10, EEST
April 3, 2012
Only the public key parts are transmitted and what you should copy, i.e. they are not considered as secrets. The private key parts should never leave the machine where the keypair was generated. Though, sometimes the term “cert” could mean both the whole keypair or just the public key part. In my earlier text I meant just the public key part. We mostly use the .der format for public keys and .pem for private keys. Sometimes (outside of our apps) they could also come in the form where they are combined in a single file, if so you should extract the public key part and only copy that.
The only ‘secret’ here is the server’s own private key for it’s ApplicationInstanceCertificate. That could benefit from some security chip storage, such as a Trusted Platform Module, but for the time being we do not support that. Unless you have something like that I would expect windows store to also be effectively somewhere on the disk.
Also our apps are cross-platform and this directory way work for all of them. Most OPC UA Servers that I have personally seen use something similar, but I also see only a part of the world so to say. The ones that are coded with .NET might support windows store, but that is outside of my expertise.
Most Users Ever Online: 1919
Currently Online:
6 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 726
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1529
Posts: 6471
Newest Members:
gabriellabachus, Deakin, KTP25Zof, Wojciech Kubala, efrennowell431, wilfredostuart, caitlynfajardo, jeromechubb7, franciscagrimwad, adult_galleryModerators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1032, Jimmy Ni: 26, Matti Siponen: 349, Lusetti: 0
Administrators: admin: 1