8:41, EEST
June 28, 2021
1) i have my own certificate, and it is signed by the example-rootca.pem and i put this example-rootca.pem into the PKI/CA/certs folder, but it still says
Bad_CertificateRevocationUnknown (0x801B0000) “It was not possible to determine if the certificate has been revoked.”
06/29/2021 13:21:22.134 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosysopc.ua.stack.cert.d [] – certificates.size()=1
06/29/2021 13:21:22.134 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosysopc.ua.stack.cert.d [] – Initialized cert from file: /Users/shuqing/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs/example-rootca.pem
06/29/2021 13:21:22.134 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosy:q
opc.ua.stack.cert.d [] – listAdd: cert=771FA6C3CFD2355A5E3B7A83636E413F0D339CC1; dir=/Users/shuqing/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/rejected
06/29/2021 13:21:22.135 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosysopc.ua.stack.cert.d [] – certificates.size()=1
06/29/2021 13:21:22.135 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosysopc.ua.stack.cert.d [] – removeCertificate: cert=771FA6C3CFD2355A5E3B7A83636E413F0D339CC1 dir=/Users/shuqing/.prosysopc/prosys-opc-ua-simulation-server/PKI/CA/certs
06/29/2021 13:21:22.135 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosysopc.ua.stack.cert.d [] – certificates.size()=1
06/29/2021 13:21:22.135 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosysopc.ua.stack.cert.d [] – c=null
06/29/2021 13:21:22.135 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosysopc.ua.stack.cert.d [] – certificates.size()=1
06/29/2021 13:21:22.135 INFO [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosysopc.ua.stack.cert.d [] – Certificate ‘771FA6C3CFD2355A5E3B7A83636E413F0D339CC1’ added to rejected certificates.
06/29/2021 13:21:22.135 DEBUG [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosysopc.ua.app.simserver.ui.tabs.certificate.CertificatesTabView [] – onRejected
06/29/2021 13:21:22.136 WARN [OPC-UA-Stack-Non-Blocking-Work-Executor-3] com.prosysopc.ua.stack.transport.tcp.nio.g [] – Remote certificate not accepted: Bad_CertificateRevocationUnknown (0x801B0000) “It was not possible to determine if the certificate has been revoked.”
the example-root.pem info:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16692487228558655672 (0xe7a7a0b19bfbc0b8)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=ST, CN=RootCA
Validity
Not Before: Jun 11 01:56:35 2021 GMT
Not After : Jun 9 01:56:35 2031 GMT
Subject: C=CN, ST=ST, CN=RootCA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b5:11:63:ca:eb:ad:74:33:9b:bd:aa:0a:45:58:
9c:50:d2:73:8c:5f:ff:f2:f0:f5:4f:de:6a:25:43:
21:c3:99:2c:66:64:94:9d:0c:5e:53:7c:b5:be:c7:
21:af:fe:1d:6a:a4:43:c7:6c:28:47:b1:56:98:38:
a9:7b:27:b6:d6:50:9a:bc:e3:c0:21:c9:d4:9d:6f:
e8:1f:f1:49:0c:c2:ce:dc:b8:0b:80:d9:f9:fe:f5:
e4:2c:d6:e3:b8:ef:d3:2e:e2:92:c4:1a:97:83:5a:
7b:bc:72:4e:cc:d4:9f:6d:86:d7:37:18:54:e9:d9:
a7:ab:a0:de:92:33:b8:53:21:c8:ab:61:02:90:17:
45:5a:df:36:ca:7a:5d:fe:01:7c:10:f5:49:ff:c5:
f4:f4:54:e3:86:52:e9:54:de:58:27:40:fa:39:e9:
6f:e9:86:cb:bf:ce:ff:b2:75:24:fb:72:a2:45:f7:
a6:20:bb:af:a2:88:f9:13:46:e0:36:31:63:94:7b:
5b:fe:5e:05:1f:b8:68:9c:ae:27:ce:51:b5:22:0f:
e3:d4:0e:b4:5d:21:04:7c:88:de:9d:1c:bb:8d:88:
46:5f:90:1a:f3:4c:a9:68:29:40:5d:33:03:11:a3:
e3:0e:cc:7c:02:14:79:8d:ff:8f:a5:0d:05:4b:e9:
81:23
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
URI:urn:TestSuite:RootCA
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
65:5B:2D:5B:91:30:48:ED:77:95:AB:A2:2C:64:DA:34:E4:7C:35:27
X509v3 Authority Key Identifier:
keyid:65:5B:2D:5B:91:30:48:ED:77:95:AB:A2:2C:64:DA:34:E4:7C:35:27
Signature Algorithm: sha1WithRSAEncryption
61:2f:bf:ed:cf:f5:6b:f3:80:22:49:8c:43:22:7b:4a:70:5c:
0c:1f:15:19:60:15:80:b9:c3:06:f1:77:b6:c5:2b:74:a5:e3:
c1:9f:ee:ed:94:15:26:3c:8f:cc:99:73:55:0a:4d:44:1c:35:
df:ce:d2:67:78:a4:78:75:88:78:61:55:43:df:86:9e:7a:83:
f5:77:2a:b6:8c:47:d2:ec:80:9b:3c:f6:4c:ba:e4:f5:59:6b:
c2:bd:22:27:52:c0:fb:bc:ac:7e:b5:1b:43:cf:9a:6b:b6:33:
61:5a:98:fd:fd:da:0f:1b:43:8c:74:6f:a4:86:2b:13:66:cd:
2d:f8:0f:7c:96:d1:c2:be:9e:77:06:7a:3d:4f:2c:0f:df:e3:
eb:fe:68:d3:c3:d7:79:32:51:15:a0:5c:f1:a9:25:dc:e4:bf:
35:92:00:ea:15:e5:63:8f:4c:b6:dc:94:6c:0c:8b:a9:df:82:
9e:2a:c9:4c:d3:e1:f6:23:70:65:09:7b:bd:b3:10:f5:4f:ae:
75:90:47:47:17:ef:b7:9f:97:e2:39:c4:93:86:5b:be:60:ae:
74:ae:c1:3d:70:e2:91:1b:4a:e3:e9:66:f5:22:69:ab:0a:30:
67:e0:1a:03:4c:e9:8f:8e:ca:5a:f2:ac:7b:22:1e:ff:9a:fb:
d8:95:84:f3
—–BEGIN CERTIFICATE—–
MIIDozCCAougAwIBAgIJAOenoLGb+8C4MA0GCSqGSIb3DQEBBQUAMCsxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJTVDEPMA0GA1UEAwwGUm9vdENBMB4XDTIxMDYxMTAx
NTYzNVoXDTMxMDYwOTAxNTYzNVowKzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAlNU
MQ8wDQYDVQQDDAZSb290Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC1EWPK6610M5u9qgpFWJxQ0nOMX//y8PVP3molQyHDmSxmZJSdDF5TfLW+xyGv
/h1qpEPHbChHsVaYOKl7J7bWUJq848AhydSdb+gf8UkMws7cuAuA2fn+9eQs1uO4
79Mu4pLEGpeDWnu8ck7M1J9thtc3GFTp2aeroN6SM7hTIcirYQKQF0Va3zbKel3+
AXwQ9Un/xfT0VOOGUulU3lgnQPo56W/phsu/zv+ydST7cqJF96Ygu6+iiPkTRuA2
MWOUe1v+XgUfuGicrifOUbUiD+PUDrRdIQR8iN6dHLuNiEZfkBrzTKloKUBdMwMR
o+MOzHwCFHmN/4+lDQVL6YEjAgMBAAGjgckwgcYwHwYDVR0RBBgwFoYUdXJuOlRl
c3RTdWl0ZTpSb290Q0EwCQYDVR0TBAIwADALBgNVHQ8EBAMCAvQwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdl
bmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUZVstW5EwSO13lauiLGTaNOR8
NScwHwYDVR0jBBgwFoAUZVstW5EwSO13lauiLGTaNOR8NScwDQYJKoZIhvcNAQEF
BQADggEBAGEvv+3P9WvzgCJJjEMie0pwXAwfFRlgFYC5wwbxd7bFK3Sl48Gf7u2U
FSY8j8yZc1UKTUQcNd/O0md4pHh1iHhhVUPfhp56g/V3KraMR9LsgJs89ky65PVZ
a8K9IidSwPu8rH61G0PPmmu2M2FamP392g8bQ4x0b6SGKxNmzS34D3yW0cK+nncG
ej1PLA/f4+v+aNPD13kyURWgXPGpJdzkvzWSAOoV5WOPTLbclGwMi6nfgp4qyUzT
4fYjcGUJe72zEPVPrnWQR0cX77efl+I5xJOGW75grnSuwT1w4pEbSuPpZvUiaasK
MGfgGgNM6Y+OylryrHsiHv+a+9iVhPM=
—–END CERTIFICATE—–
my own certificate signed by example-root.pem info is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 9335349650520795802 (0x818dd30bdd5bea9a)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=ST, CN=RootCA
Validity
Not Before: Jun 11 01:58:28 2021 GMT
Not After : Jun 9 01:58:28 2031 GMT
Subject: C=CT, ST=ST, CN=TestSuite
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e8:8b:90:60:73:17:7e:b5:f0:80:98:ff:31:d4:
aa:5c:12:1a:75:94:66:36:27:e9:b8:cf:a8:13:28:
61:1b:9d:8b:01:7f:3f:9d:1a:a5:70:d6:3d:1b:21:
af:01:e2:83:4a:8e:8f:6a:61:5d:be:75:95:36:87:
df:2d:f3:e4:d6:1d:8f:22:f2:86:76:09:63:d1:a7:
b3:22:f4:09:2e:6f:98:5f:aa:f6:bf:aa:1b:25:84:
59:0b:53:3e:fc:e0:d0:46:e0:28:11:a0:ba:ff:61:
6c:84:01:d9:a0:98:3c:e7:32:bb:12:99:f0:1f:79:
80:ea:c8:64:fc:c8:59:ed:59:41:68:2b:fe:71:e7:
f0:d8:19:32:a6:d8:25:80:ab:3a:22:40:0a:12:2e:
85:40:4c:aa:61:8e:dc:2a:31:82:96:d0:3b:4a:b4:
4a:70:86:2e:17:89:f2:45:73:37:b9:3f:39:35:52:
a0:86:96:29:08:41:56:ef:89:06:c9:36:5b:e2:39:
1e:90:4c:6c:95:1a:9e:57:eb:26:43:57:33:77:d4:
37:75:b1:7b:5a:f9:25:8e:00:f4:1e:c4:34:87:a5:
e2:3f:48:e3:cc:84:53:7b:0a:b8:7c:7d:65:f7:20:
08:dc:29:28:b8:0d:05:27:8c:fc:69:30:88:22:9b:
ef:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
URI:urn:TestSuite:TestingClient
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
9A:87:CF:F1:A5:10:F9:D4:25:EE:6F:39:4C:EA:B9:D4:23:D8:06:11
X509v3 Authority Key Identifier:
keyid:65:5B:2D:5B:91:30:48:ED:77:95:AB:A2:2C:64:DA:34:E4:7C:35:27
Signature Algorithm: sha1WithRSAEncryption
6f:49:42:91:5c:ea:7e:df:8d:ce:ec:52:bd:10:30:82:bc:6a:
be:6a:f4:cf:4d:3a:63:89:cd:3d:b0:ca:81:df:ba:8c:01:c0:
ce:ef:74:8b:f4:9b:d1:df:b8:39:c9:ec:67:15:31:88:e0:31:
b9:8f:84:ed:47:2e:cc:e3:1c:66:31:d2:a0:07:43:f3:63:97:
e0:22:35:d5:be:d5:ef:c4:9d:be:f6:64:e9:cd:fb:47:20:58:
ee:d8:67:b4:75:cf:51:50:71:ea:05:8e:7e:00:a8:b1:de:7d:
5c:ad:a6:d9:c3:38:a8:b5:13:d1:bc:9c:83:f8:db:01:05:bb:
a7:a9:b0:e3:fe:29:f7:64:f6:71:7d:7d:42:bc:73:1b:82:16:
33:15:c1:08:0e:5b:67:f0:ff:90:8f:fe:23:42:ef:2c:d7:32:
b7:f6:b9:c4:21:1e:f6:70:8d:26:7d:22:7f:c6:1b:a6:79:0b:
20:cf:40:99:e3:97:cf:53:24:a7:c8:81:c8:24:12:8d:31:e9:
a8:50:17:a6:0d:37:6e:02:6c:89:75:67:57:0b:da:50:be:8b:
41:3f:9c:a5:65:04:c4:24:f6:a1:a8:d6:2f:da:bd:24:64:e3:
dc:e6:1b:14:bf:34:01:c6:ef:1a:47:f6:29:9a:d1:c0:9f:66:
74:b4:2b:0b
—–BEGIN CERTIFICATE—–
MIIDrTCCApWgAwIBAgIJAIGN0wvdW+qaMA0GCSqGSIb3DQEBBQUAMCsxCzAJBgNV
BAYTAkNOMQswCQYDVQQIDAJTVDEPMA0GA1UEAwwGUm9vdENBMB4XDTIxMDYxMTAx
NTgyOFoXDTMxMDYwOTAxNTgyOFowLjELMAkGA1UEBhMCQ1QxCzAJBgNVBAgMAlNU
MRIwEAYDVQQDDAlUZXN0U3VpdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDoi5Bgcxd+tfCAmP8x1KpcEhp1lGY2J+m4z6gTKGEbnYsBfz+dGqVw1j0b
Ia8B4oNKjo9qYV2+dZU2h98t8+TWHY8i8oZ2CWPRp7Mi9Akub5hfqva/qhslhFkL
Uz784NBG4CgRoLr/YWyEAdmgmDznMrsSmfAfeYDqyGT8yFntWUFoK/5×5/DYGTKm
2CWAqzoiQAoSLoVATKphjtwqMYKW0DtKtEpwhi4XifJFcze5Pzk1UqCGlikIQVbv
iQbJNlviOR6QTGyVGp5X6yZDVzN31Dd1sXta+SWOAPQexDSHpeI/SOPMhFN7Crh8
fWX3IAjcKSi4DQUnjPxpMIgim+/TAgMBAAGjgdAwgc0wJgYDVR0RBB8wHYYbdXJu
OlRlc3RTdWl0ZTpUZXN0aW5nQ2xpZW50MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgL0
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAsBglghkgBhvhCAQ0EHxYd
T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFJqHz/GlEPnU
Je5vOUzqudQj2AYRMB8GA1UdIwQYMBaAFGVbLVuRMEjtd5Wroixk2jTkfDUnMA0G
CSqGSIb3DQEBBQUAA4IBAQBvSUKRXOp+343O7FK9EDCCvGq+avTPTTpjic09sMqB
37qMAcDO73SL9JvR37g5yexnFTGI4DG5j4TtRy7M4xxmMdKgB0PzY5fgIjXVvtXv
xJ2+9mTpzftHIFju2Ge0dc9RUHHqBY5+AKix3n1crabZwziotRPRvJyD+NsBBbun
qbDj/in3ZPZxfX1CvHMbghYzFcEIDltn8P+Qj/4jQu8s1zK39rnEIR72cI0mfSJ/
xhumeQsgz0CZ45fPUySnyIHIJBKNMemoUBemDTduAmyJdWdXC9pQvotBP5ylZQTE
JPahqNYv2r0kZOPc5hsUvzQBxu8aR/YpmtHAn2Z0tCsL
—–END CERTIFICATE—–
8:54, EEST
Moderators
February 11, 2020
Hello,
When using non-self signed certificates, the issuer certificate used to sign the certificate must provide a Certificate Revocation List (CRL) that is used to verify whether or not issued certificates have been revoked. If the CRL is not available, StatusCode Bad_CertificateRevocationUnknown is returned by the DefaultCertificateValidator’s validateCertificate method.
If you don’t have a CRL file available for the issuer certificate, you can use DefaultCertificateValidator.getIgnoredChecks method to get a Set of IgnoredChecks enumerations and add IgnoredChecks.IGNORE_CA_MISSING_CRL to this Set to accept issuer certificates without CRL files.
Most Users Ever Online: 1919
Currently Online:
5 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 737
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1524
Posts: 6450
Newest Members:
jonathonmcintyre, fannielima, kristiewinkle8, rust, christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettingerModerators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0
Administrators: admin: 1