Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

Bought a signed cert and no success

More
19 May 2020 07:14 #8492 by support
1) The notification on the first image means that QuickOPC received a (self-signed) certificate from the server, and that this certificate is not trusted - because it is not in the "trusted peers" certificate store. If you want to permanently trust this certificate, you need to place that certificate into the "trusted peers" store. OPC applications usually have a UI or tool to do that, but QuickOPC does not, mainly beause it is not an application by itself, it is just a library.

Have look here: opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...ecurity%20(Client-Server).html
and especially here: opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...%20Instance%20Certificate.html
and here: opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...html#Certificate%20Stores.html .

If the certificate has been rejected once (it was, that's what the notification says), it will be already in the "rejected certificate store" - for convenience. You can make it trusted by moving it to "trusted peers" certificate store either by simply moving the file, or by using UA Configuration tool (kb.opclabs.com/Tool_Downloads ).

2) To the second screenshot: For self-signed signed certificate, this is how they look like, it is perfectly normal and correct (they have no certification path - that's what it means that they are self-signed), and there is no way to make it go away.

Best regards

Please Log in or Create an account to join the conversation.

More
17 May 2020 16:00 #8490 by Plcjc
When I first connect to the server thru your SDK I get presented with the following

This browser does not support PDFs. Please download the PDF to view it: Download PDF



I believe I was under the wrong impression that this was complaining about a self signed cert. I have now reissued the self signed cert in the Kepware server and in it's path
it tells me that it is untrusted because it's not in the trusted root securities authority store.

This browser does not support PDFs. Please download the PDF to view it: Download PDF



Would this warning/alarm go away if I could get this self signed cert in that trusted root securities authority store ? and if so how would I do that ? please forgive me my ignorance about the whole Cert thing.

Thanks
Jeff
Attachments:

Please Log in or Create an account to join the conversation.

More
17 May 2020 15:52 #8489 by Plcjc
Thank you for your reply. I will give you the short story of what I am doing. I have been using OPC-DA for about 20 years or so with great success most of it is monitoring data from around 100 PLC's and mostly displaying it, sometimes logging to database, sometimes allowing users to change values from windows application. Mostly simple stuff, but it has worked great for a long time. This is my first venture into OPC-UA and I'm doing it since I have upgraded to the new Kepware server and DCom while always presented certain headache's seems to be more of a pain with Windows 10 and the newer server platforms. My present applications are going against a Windows 2000 server as a VM and has worked great for a long time, but when I tried to put it on new hardware it was a problem. I now have Kepware 6.8 on a Windows 10 install and have purchased your SDK to update to UA everything will be contained in my very own Lan so nothing will get out into the world so to speak. Hope this wasn't too much info.

Please Log in or Create an account to join the conversation.

More
16 May 2020 08:19 #8487 by support
Hello,
can you connect (with security policy other than None) to the server with other OPC UA clients?

Can you send the same screenshot of the certificate you provided to Kepware to us? Either post it here, or (if it is confidential) email to support09 (at) opclabs.com.

The certificate validation is complex and we are just taking over the code from OPC Foundation (and the code is changing over the time), so I do not pretend to understand the details of it either.

But before we get to the details, I want to clarify what you are doing: Why do you want to use a certificate from a commercial CA? In my understanding, there is no reason to do that. It might even be wrong and insecure thing to do. Because, if you want to use that CA as your trust root, you would basically be saying that any certificate that that CA has issued to anybody is something you want to trust too ! That's insecure. You would have to persuade the CA to create a sub-CA just for you, and have that sub-CA issue the certificate, and then trust that sub-CA but not the actual commercial CA. But I do not think you have done that.

Or, you can use a certificate from a commercial CA without having that CA as your trust root, but instead configuring the UA applications to trust only individual, specific certificates. Doing so is possible, but turns the whole thing back into the scheme used with self-signed certificates, creating a need to manage the trusts on one by one basis, plus you would completely unnecessary go through the hassle and expenses related to a certificate from commercial CA.

So, why do that?

The "normal" OPC UA way of doing things is either with self-signed certificates, or with a CA that you control yourself.

Best regards

Please Log in or Create an account to join the conversation.

More
15 May 2020 17:09 #8486 by Plcjc
Hello I purchased a cert from a CA and imported it in to Kepware ver 6.8 the people at keepware tell me the chain looks good as I sent them a screen shot from their server software that shows the path. Before I got this cert if I created the endpoint in Conectivity Explorer I could see the server and all it's tags if I accepted the self signed cert
now with this purchased cert it won't even give me that option and fails with the error I have attached. I will be the first to admit Certificates are new to me and not really my strong suit. I saw a similar post to this, but there was no real solution. any direction would be appreciated.

Thanks
Jeff

This browser does not support PDFs. Please download the PDF to view it: Download PDF

Attachments:

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.051 seconds