- Posts: 23
- Thank you received: 1
Online Forums
Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.
Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.
Do not use the Contact page for technical issues.
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Certificate's signature algorithm
Certificate's signature algorithm
01 Jun 2020 10:14 #8531
by KrisSik
Replied by KrisSik on topic Certificate's signature algorithm
Hi,
They are attached to this message.
They are attached to this message.
Please Log in or Create an account to join the conversation.
01 Jun 2020 10:10 #8530
by support
Replied by support on topic Certificate's signature algorithm
Hello,
can you please post your modified .config file as well? The problem is that I do not see the entries I expected in the trace file. So, I want to check if the .config file is OK.
Thank you
can you please post your modified .config file as well? The problem is that I do not see the entries I expected in the trace file. So, I want to check if the .config file is OK.
Thank you
Please Log in or Create an account to join the conversation.
01 Jun 2020 07:51 #8529
by KrisSik
Replied by KrisSik on topic Certificate's signature algorithm
Oops, forgot to attach the file.
Please Log in or Create an account to join the conversation.
01 Jun 2020 07:49 #8528
by KrisSik
Replied by KrisSik on topic Certificate's signature algorithm
Hi,
I repeated those actions with enabled extended traces. Please, find the file with traces in the attachments.
Best regards,
Kristian
I repeated those actions with enabled extended traces. Please, find the file with traces in the attachments.
Best regards,
Kristian
Please Log in or Create an account to join the conversation.
30 May 2020 05:58 #8526
by support
Replied by support on topic Certificate's signature algorithm
Thank you.
The certificate is probably being rejected for some reason, but the normal log entry do not contain enough information.
We need to go deeper. Can you please enable the extended tracing (kb.opclabs.com/QuickOPC:_How_to_enable_extended_tracing ) and provide us with the collected data.
Kind regards
The certificate is probably being rejected for some reason, but the normal log entry do not contain enough information.
We need to go deeper. Can you please enable the extended tracing (kb.opclabs.com/QuickOPC:_How_to_enable_extended_tracing ) and provide us with the collected data.
Kind regards
Please Log in or Create an account to join the conversation.
29 May 2020 08:27 #8522
by KrisSik
Replied by KrisSik on topic Certificate's signature algorithm
Hello,
Yes I did put the files in the following locations:
C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private\MYH3 [2B62F0474B87FA86E543B61E6C1A4BC3D144D3C2].pfx
C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs\MYH3 [2B62F0474B87FA86E543B61E6C1A4BC3D144D3C2].der
C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs\MYH3 [2B62F0474B87FA86E543B61E6C1A4BC3D144D3C2].der
And after connection attempt they are deleted and replace by the following newly generated certificate files:
C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private\MYH3 [0083C1A616A2BBFA810632DDB116D3A1E451F42B].pfx
C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs\MYH3 [0083C1A616A2BBFA810632DDB116D3A1E451F42B].der
C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs\MYH3 [0083C1A616A2BBFA810632DDB116D3A1E451F42B].der
Best regards,
Kristian
Yes I did put the files in the following locations:
C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private\MYH3 [2B62F0474B87FA86E543B61E6C1A4BC3D144D3C2].pfx
C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs\MYH3 [2B62F0474B87FA86E543B61E6C1A4BC3D144D3C2].der
C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs\MYH3 [2B62F0474B87FA86E543B61E6C1A4BC3D144D3C2].der
And after connection attempt they are deleted and replace by the following newly generated certificate files:
C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\private\MYH3 [0083C1A616A2BBFA810632DDB116D3A1E451F42B].pfx
C:\ProgramData\OPC Foundation\CertificateStores\MachineDefault\certs\MYH3 [0083C1A616A2BBFA810632DDB116D3A1E451F42B].der
C:\ProgramData\OPC Foundation\CertificateStores\UA Applications\certs\MYH3 [0083C1A616A2BBFA810632DDB116D3A1E451F42B].der
Best regards,
Kristian
Please Log in or Create an account to join the conversation.
28 May 2020 17:44 #8520
by support
Replied by support on topic Certificate's signature algorithm
Hello.
Let me repeat my question: Do you also put your certificate (as .DER, without private key) to the Trusted peers certificate store?
Regards
Let me repeat my question: Do you also put your certificate (as .DER, without private key) to the Trusted peers certificate store?
Regards
Please Log in or Create an account to join the conversation.
28 May 2020 12:43 #8519
by KrisSik
Replied by KrisSik on topic Certificate's signature algorithm
Hello,
Let me describe the actions I did:
1. Placed the certificate (.pfx file) in the application instance certificate store.
2. Updated the EasyUAClient.SharedParameters.EngineParameters.ApplicationParameters.ApplicationName to match Common Name (CN) property from certificate's subject.
3. Initialized the EasyUAClient and tried to browse the node.
As a result, a new certificate is being generated and old one is deleted. The server's rejected certificates store contains already new generated certificate.
Please, find the logs file attached to this message.
Best regards,
Kristian
Let me describe the actions I did:
1. Placed the certificate (.pfx file) in the application instance certificate store.
2. Updated the EasyUAClient.SharedParameters.EngineParameters.ApplicationParameters.ApplicationName to match Common Name (CN) property from certificate's subject.
3. Initialized the EasyUAClient and tried to browse the node.
As a result, a new certificate is being generated and old one is deleted. The server's rejected certificates store contains already new generated certificate.
Please, find the logs file attached to this message.
Best regards,
Kristian
Please Log in or Create an account to join the conversation.
23 May 2020 11:32 #8502
by support
Replied by support on topic Certificate's signature algorithm
That is a complicated process, but in general, an existing certificate for the specified subject name should be kept (and not replaced) and used, as long as it itself validates (I think that it thus should also be in the Trusted store!) and fulfills additional conditions such as that the key size is not too low.
For initial diagnostics , please hook a handler to the (static) EasyUAClient.LogEntry event, and send us the events generated when QuickOPC replaces the certificate when it "should not. If there is a confidential information in it, email it to support09 (at) opclabs.com instead of posting here.
Best regards
For initial diagnostics , please hook a handler to the (static) EasyUAClient.LogEntry event, and send us the events generated when QuickOPC replaces the certificate when it "should not. If there is a confidential information in it, email it to support09 (at) opclabs.com instead of posting here.
Best regards
Please Log in or Create an account to join the conversation.
23 May 2020 10:11 #8500
by support
Replied by support on topic Certificate's signature algorithm
No, you cannot. QuickOPC relies on the behavior of UA Certificate generator (OPC Foundation) with most default settings.
QuickOPC will automatically create *some* certificate for you, without you having to specify anything, or allowing you to specify just the very basics (application name). This is an intentional design decision: There are so many ways and options the certificate can be generated, that even if we provided more option, there will always be somebody saying that they want their certificate be different.
If the certificate you get by the "automatic" process is not what you want, you need to generate one yourself by whatever means you choose, and then point QuickOPC to that certificate. This gives you total control of the certificate used, if you need it.
I understand from your other post that you have a problem with that approach as well, and I will reply to that post separately. But it is the right way to do it.
Best regards
QuickOPC will automatically create *some* certificate for you, without you having to specify anything, or allowing you to specify just the very basics (application name). This is an intentional design decision: There are so many ways and options the certificate can be generated, that even if we provided more option, there will always be somebody saying that they want their certificate be different.
If the certificate you get by the "automatic" process is not what you want, you need to generate one yourself by whatever means you choose, and then point QuickOPC to that certificate. This gives you total control of the certificate used, if you need it.
I understand from your other post that you have a problem with that approach as well, and I will reply to that post separately. But it is the right way to do it.
Best regards
Please Log in or Create an account to join the conversation.
Moderators: support
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Certificate's signature algorithm
Time to create page: 0.102 seconds