Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Setting up CA signed certificate for OPC UA Simulation server
July 19, 2021
16:28, EEST
Avatar
rohanbhosale
New Member
Members
Forum Posts: 2
Member Since:
July 19, 2021
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

I’m trying to connect a client to Prosys OPC UA Simulation server using a self signed certificate authority certificate and a certificate signed by this CA certificate for user authentication.
I get an error in the log file – “Bad_IdentityTokenRejected” – “The user identity token is valid but the server has rejected it.”
When going through the logs there is no indication of whether CA or signed certificate is untrusted/invalid. Although I can verify from the windows store that both CA Certificate and the CA-Signed certificate are correctly aligned. Need help in understanding how the certificate chain can be correctly placed in the directories and correctly read by the server.

July 20, 2021
11:45, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 983
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline
Go to Top
2sp_Permalink sp_Print

Hi,

The application doesn’t use the windows store.

This causes every cert signed by that CA (that is not revoked) to be trusted:
Put the CA certificate to \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\certs
And put the CRL file of that CA to : \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\crl

If you instead do not want to trust every cert signed by that CA cert:
Put the CA certificate to \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\issuers\certs
And put the CRL file of that CA to : \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\issuers\crl
Put the certificate (that was signed by the CA) to: \.prosysopc\prosys-opc-ua-simulation-server\PKI\CA\certs

At the moment the application doesnt support disabling revocation checks, thus you must have the CRL file of that CA cert. The option to disable revocation checks might be added in a future version of the application.

Also, since you have tried the connection, the certs might be in the rejected folder (next to certs folders). In that case you must remove it from there as well (if it is in both it is considered to be rejected).

July 22, 2021
0:41, EEST
Avatar
rohanbhosale
New Member
Members
Forum Posts: 2
Member Since:
July 19, 2021
sp_UserOfflineSmall Offline
Go to Top
3sp_Permalink sp_Print

thanks that helped. However I will also want to know if physical pki directory is a norm among UA server setups. i.e. sharing certificates in physical files on disk can be an insecure way as compared to registering them in Windows store. Why is windows store not considered an option here?

July 22, 2021
9:10, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 983
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline
Go to Top
4sp_Permalink sp_Print

Only the public key parts are transmitted and what you should copy, i.e. they are not considered as secrets. The private key parts should never leave the machine where the keypair was generated. Though, sometimes the term “cert” could mean both the whole keypair or just the public key part. In my earlier text I meant just the public key part. We mostly use the .der format for public keys and .pem for private keys. Sometimes (outside of our apps) they could also come in the form where they are combined in a single file, if so you should extract the public key part and only copy that.

The only ‘secret’ here is the server’s own private key for it’s ApplicationInstanceCertificate. That could benefit from some security chip storage, such as a Trusted Platform Module, but for the time being we do not support that. Unless you have something like that I would expect windows store to also be effectively somewhere on the disk.

Also our apps are cross-platform and this directory way work for all of them. Most OPC UA Servers that I have personally seen use something similar, but I also see only a part of the world so to say. The ones that are coded with .NET might support windows store, but that is outside of my expertise.

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
11 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 135

pramanj: 86

Francesco Zambon: 81

rocket science: 77

ibrahim: 75

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

fred: 41

Member Stats:

Guest Posters: 0

Members: 680

Moderators: 16

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1467

Posts: 6259

Newest Members:

sagarchau, elviralangwell4, Donnavek, Eddiefauth, DonaldPooma, fidelduke938316, Jan-Pfizer, DavidROunc, fen.pang@woodside.com, aytule

Moderators: Jouni Aro: 1009, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 983, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 26, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 321, Lusetti: 0, Ari-Pekka Soikkeli: 5

Administrators: admin: 1