- Posts: 19
- Thank you received: 0
Online Forums
Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.
Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.
Do not use the Contact page for technical issues.
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Certificate's signature algorithm
Certificate's signature algorithm
11 Jun 2020 08:28 #8567
by KrisSik
Replied by KrisSik on topic Certificate's signature algorithm
Hello,
Thank you for the explanation.
I tried 2 ways to generate the certificate, but all of them failed. And now I know the reason for each.
I was trying to implement my own code for creating certificate (without using Bounty Castle lib), but as I can see now it has .NET framework issue, which takes too much time to solve.
I was trying to use OPC UA Configuration tool to generate certificate, but that also fails, as this tool generates certificate with incorrect signature algorithm, which can't be changed. By the way, this tool comes with QuickOpc Launcher, which is strange as it's certificates are not accepted by QuickOpc's certificate validation.
But yes, actually I can use Opc.Ua.CertificateGenerator.exe, and I will probably do that.
Best regards,
Kristian
Thank you for the explanation.
I tried 2 ways to generate the certificate, but all of them failed. And now I know the reason for each.
I was trying to implement my own code for creating certificate (without using Bounty Castle lib), but as I can see now it has .NET framework issue, which takes too much time to solve.
I was trying to use OPC UA Configuration tool to generate certificate, but that also fails, as this tool generates certificate with incorrect signature algorithm, which can't be changed. By the way, this tool comes with QuickOpc Launcher, which is strange as it's certificates are not accepted by QuickOpc's certificate validation.
But yes, actually I can use Opc.Ua.CertificateGenerator.exe, and I will probably do that.
Best regards,
Kristian
Please Log in or Create an account to join the conversation.
09 Jun 2020 16:35 #8561
by support
Replied by support on topic Certificate's signature algorithm
If the provider type is not supported by the /NET Framework, then it is no-go for us, with that certificate.
I am kind of lost of what is what you are trying to achieve. Can you please "start over" and explain that?
Why cannot you use the mechanism built-in to QuickOPC to generate the application certificate?
And, if you want to use your own application certificate, have you attempted to use the Opc.Ua.CertificateGenerator.exe utility (installed alongside the Opc.Ua.ConfigurationTool.exe)?
Best regards
I am kind of lost of what is what you are trying to achieve. Can you please "start over" and explain that?
Why cannot you use the mechanism built-in to QuickOPC to generate the application certificate?
And, if you want to use your own application certificate, have you attempted to use the Opc.Ua.CertificateGenerator.exe utility (installed alongside the Opc.Ua.ConfigurationTool.exe)?
Best regards
Please Log in or Create an account to join the conversation.
09 Jun 2020 16:31 #8560
by support
Replied by support on topic Certificate's signature algorithm
The best venue to ask about purpose of application URIs would be opcfoundation.org/forum/ .
But in general, in my own words and understanding, the application URI in OPC UA is important so that your program knows what is the other party (server or client) it communicates with. It is a logical identification of the application on the other side, which does not change over time. Other pieces of information, such as endpoint URL, or the other party's application certificate, cannot fulfill that role, because they can change over time as the systems gets physically updated or reconfigured. But the application URI is meant to stay. It can be used, among other things, to distinguish the role(s) the other application is in, and therefore the operations it has permissions to perform.
I do not quite understand the part of your question about "OPC UA Configuration tool". I am actually not aware about a way to use it to generate new certificates for QuickOPC; if, what you are referring to, is the "Create Application Certificate" on the "Manage Application" tab, then this is meant for applications that actually a particular application configuration model based on XML configuration files - which QuickOPC does *not* use.
Best regards
But in general, in my own words and understanding, the application URI in OPC UA is important so that your program knows what is the other party (server or client) it communicates with. It is a logical identification of the application on the other side, which does not change over time. Other pieces of information, such as endpoint URL, or the other party's application certificate, cannot fulfill that role, because they can change over time as the systems gets physically updated or reconfigured. But the application URI is meant to stay. It can be used, among other things, to distinguish the role(s) the other application is in, and therefore the operations it has permissions to perform.
I do not quite understand the part of your question about "OPC UA Configuration tool". I am actually not aware about a way to use it to generate new certificates for QuickOPC; if, what you are referring to, is the "Create Application Certificate" on the "Manage Application" tab, then this is meant for applications that actually a particular application configuration model based on XML configuration files - which QuickOPC does *not* use.
Best regards
The following user(s) said Thank You: KrisSik
Please Log in or Create an account to join the conversation.
09 Jun 2020 09:44 #8556
by KrisSik
Replied by KrisSik on topic Certificate's signature algorithm
Hi,
You are right, I tried to read PrivateKey property and looks like it's impossible. I used a certutil tool, and found out it has a different provider type, which is not supported by .NET Framework.
And regarding the algorithm, I asked that because OPC UA Configuration tool generates certificate with sha1RSA signature algorithm.
Best regards,
Kristian Sik
You are right, I tried to read PrivateKey property and looks like it's impossible. I used a certutil tool, and found out it has a different provider type, which is not supported by .NET Framework.
And regarding the algorithm, I asked that because OPC UA Configuration tool generates certificate with sha1RSA signature algorithm.
Best regards,
Kristian Sik
Please Log in or Create an account to join the conversation.
09 Jun 2020 08:51 #8555
by KrisSik
Replied by KrisSik on topic Certificate's signature algorithm
Hi,
Thank you for the description. I can't understand what is the rationale for specifying application URI, could you please explain?
I was also trying to generate a certificate using OPC UA Configuration tool (which comes with QuickOpc Launcher), but that certificate is also being replaced. Is there a way to generate valid certificate using this tool?
Thanks in advance.
Best regards,
Kristian
Thank you for the description. I can't understand what is the rationale for specifying application URI, could you please explain?
I was also trying to generate a certificate using OPC UA Configuration tool (which comes with QuickOpc Launcher), but that certificate is also being replaced. Is there a way to generate valid certificate using this tool?
Thanks in advance.
Best regards,
Kristian
Please Log in or Create an account to join the conversation.
01 Jun 2020 16:07 - 09 Jun 2020 09:00 #8537
by support
Replied by support on topic Certificate's signature algorithm
OK - you may have different issues with different certificates.
I have checked what conditions are there when checking the application certificate - we will extend the documentation so that this is clearer in the future. Here is what the documentation will say:
If the application instance certificate is found in the appropriate certificate store, QuickOPC checks the certificate. If any checks fails, QuickOPC create a new certificate and replaces the certificate in the store.
1.The certificate must be valid.
2.The size of the certificate's public key must be at least the minimum size. Currently, QuickOPC uses zero as minimum size, therefore all certificates pass this check.
3.If the application type includes a Server, the certificate's domains are checked against the server configuration. QuickOPC applications are normally client-only (unless you specify otherwise), and therefore this check always passes in the default QuickOPC configuration.
4.The application URI must be specified (non-empty) in the certificate. The application URI is an URI from the certificate extension with OID 2.5.29.7 (subjectAltName) or 2.5.29.17 (Subject Alternative Name).
So yes, please always put the "Subject alternative name" into your certificate - without it it won't work.
But, this recent trace you posted fails on the certificate even before that. The error is "Invalid provider type specified." and it is an exception generated when the code tries to access the PrivateKey property of X509Certificate2 in .NET. We might be facing some .NET Framework limitation here.
Can you make a small program in .NET Framework and see if it can, with no OPC UA involved, access the Private Key of your certificate?
Or, can you send the certificate to us? - for security, it can be via email - or with a private key different from what you normally use - or both.
You started this thread with a requirement to use a different signature algorithm - so I suppose that is what you have used, a "different" one - likely, this is related to the issue - which algorithm is it then?
(Side note: The private key wouldn't be accessed at this place if Windows certificate store was used).
Thank you
I have checked what conditions are there when checking the application certificate - we will extend the documentation so that this is clearer in the future. Here is what the documentation will say:
If the application instance certificate is found in the appropriate certificate store, QuickOPC checks the certificate. If any checks fails, QuickOPC create a new certificate and replaces the certificate in the store.
1.The certificate must be valid.
2.The size of the certificate's public key must be at least the minimum size. Currently, QuickOPC uses zero as minimum size, therefore all certificates pass this check.
3.If the application type includes a Server, the certificate's domains are checked against the server configuration. QuickOPC applications are normally client-only (unless you specify otherwise), and therefore this check always passes in the default QuickOPC configuration.
4.The application URI must be specified (non-empty) in the certificate. The application URI is an URI from the certificate extension with OID 2.5.29.7 (subjectAltName) or 2.5.29.17 (Subject Alternative Name).
So yes, please always put the "Subject alternative name" into your certificate - without it it won't work.
But, this recent trace you posted fails on the certificate even before that. The error is "Invalid provider type specified." and it is an exception generated when the code tries to access the PrivateKey property of X509Certificate2 in .NET. We might be facing some .NET Framework limitation here.
Can you make a small program in .NET Framework and see if it can, with no OPC UA involved, access the Private Key of your certificate?
Or, can you send the certificate to us? - for security, it can be via email - or with a private key different from what you normally use - or both.
You started this thread with a requirement to use a different signature algorithm - so I suppose that is what you have used, a "different" one - likely, this is related to the issue - which algorithm is it then?
(Side note: The private key wouldn't be accessed at this place if Windows certificate store was used).
Thank you
Last edit: 09 Jun 2020 09:00 by support.
Please Log in or Create an account to join the conversation.
01 Jun 2020 12:06 #8535
by KrisSik
Replied by KrisSik on topic Certificate's signature algorithm
Unfortunately, the certificate which I used while recording previous traces, doesn't have that extension, but another one has (so I recorded the traces again, please find that in the attachments).
The "Subject alternative name" (which has OID 2.5.39.17) of that certificate contains value like this:
The "Subject alternative name" (which has OID 2.5.39.17) of that certificate contains value like this:
URL=CompanyName-PC13:OpcUaTool
DNS Name=CompanyName-PC13Please Log in or Create an account to join the conversation.
01 Jun 2020 11:29 #8534
by support
Replied by support on topic Certificate's signature algorithm
Thank you.
A question: What do you put (if anything) as Application URI into your certificate? It should be in extension with OID 2.5.29.7 or 2.5.29.17 .
Thank you
A question: What do you put (if anything) as Application URI into your certificate? It should be in extension with OID 2.5.29.7 or 2.5.29.17 .
Thank you
Please Log in or Create an account to join the conversation.
01 Jun 2020 10:32 #8533
by KrisSik
Replied by KrisSik on topic Certificate's signature algorithm
Yes, you are right, I missed that. Sorry for that.
Here is the new traces file.
Here is the new traces file.
Please Log in or Create an account to join the conversation.
01 Jun 2020 10:18 #8532
by support
Replied by support on topic Certificate's signature algorithm
Unfortunately you missed the parts that I wanted. Check the Web page again, and make sure you have this as well:
Optionally, to reduce the info that is not necessary, please remove this line:Thank you
<configSections>
<section
name="OpcLabs.EasyOpc.UA.Toolkit.SdkTrace"
type="OpcLabs.EasyOpc.UA.Toolkit.SdkTraceSection,OpcLabs.EasyOpcUA" />
</configSections>
<OpcLabs.EasyOpc.UA.Toolkit.SdkTrace traceOutput="3" >
</OpcLabs.EasyOpc.UA.Toolkit.SdkTrace>Optionally, to reduce the info that is not necessary, please remove this line:
<add name="OpcLabs.Reflection.AssemblyLoading" value="1" />Please Log in or Create an account to join the conversation.
Moderators: support
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Certificate's signature algorithm
Time to create page: 0.073 seconds