Online Forums
Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.
Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.
Do not use the Contact page for technical issues.
Controlling Certificate Validations in EasyUAClient
02 Oct 2024 19:33 #13197
by LAS.Carter
Replied by LAS.Carter on topic Controlling Certificate Validations in EasyUAClient
No worries! Thank you for taking the time to respond equally on this dialogue 
Given the current widespread "development economy", I appreciate your products pragmatic alignment to the governing standard.
Although I normally take configuration into consideration, I had not considered the factors of "repeatability"/idempotence factors at the product layers you described.
While your prioritization on this is not applicable to us, I could see how many companies, especially in the public sector, would consider this priority indispensable.
As a conforming product, you must prioritize standards adherence, and do so in such a way that adherence is maintained at-scale.
If I recall correctly, the OPC-UA standards include a definition for a centralized client-configuration facility; If this related, restricting horizontal configuration to discrete values guarantees that your users can scale your solution vertically in a "turn-key" manner.
In our environment, we sometimes decide to wrap/repackage certain "architectural" libraries, to limit or expedite the interface available to our developers.
Like many companies, we sometimes leverage contracted developers, and this approach helps regulate change management, risk adoption, and maintenance commitments.
This is why custom certificate validation was my first choice; I will most likely wrap your library regardless, to ensure certificate-related options such as store locations and validation options, cannot be manipulated by developers in a production environment, but I do appreciate that this is not the case for pretty much all of your customers.
Focusing on the issue at hand, when I say that we are required to utilize existing internal certificate infrastructure for certificate-based client-server communications, let me provide some depth on what this entails and how we currently intend to structure our OPC-UA architecture.
I have a certificate chain that, succeeds when tested for Certificate Revocation status using a different implementation, but fails when using the OPC-UA specified Certificate Revocation validations.
When I say that the certificate chain succeeds using a different implementation, I mean that I have confirmed that the non-OPC implementation properly fails for a revoked certificate and passes a non-revoked certificate as it should.
I'm mostly shooting in the dark here, but maybe the OPC-UA implementation expects that a certificate identifies it's own CRL distribution point, which is different from how HTTPS and many businesses internal certificate authorities are established.
In these systems, it is common to have the issued certificate include the the CRL distribution point governing the issued certificate, and in this sense the root certificate does not include a CRL distribution point.
Again, this is just my best guess; Maybe the OPC-UA implementation has no issue with this and something else is preventing CRL validation.
Let me know what you think.
Given the current widespread "development economy", I appreciate your products pragmatic alignment to the governing standard.
Although I normally take configuration into consideration, I had not considered the factors of "repeatability"/idempotence factors at the product layers you described.
While your prioritization on this is not applicable to us, I could see how many companies, especially in the public sector, would consider this priority indispensable.
As a conforming product, you must prioritize standards adherence, and do so in such a way that adherence is maintained at-scale.
If I recall correctly, the OPC-UA standards include a definition for a centralized client-configuration facility; If this related, restricting horizontal configuration to discrete values guarantees that your users can scale your solution vertically in a "turn-key" manner.
In our environment, we sometimes decide to wrap/repackage certain "architectural" libraries, to limit or expedite the interface available to our developers.
Like many companies, we sometimes leverage contracted developers, and this approach helps regulate change management, risk adoption, and maintenance commitments.
This is why custom certificate validation was my first choice; I will most likely wrap your library regardless, to ensure certificate-related options such as store locations and validation options, cannot be manipulated by developers in a production environment, but I do appreciate that this is not the case for pretty much all of your customers.
Focusing on the issue at hand, when I say that we are required to utilize existing internal certificate infrastructure for certificate-based client-server communications, let me provide some depth on what this entails and how we currently intend to structure our OPC-UA architecture.
- We intend to use our certificate infrastructure to prove governance/authority/identity of server-entities in our environment - All client (applications) and server endpoints will be configured for Sign+Encrypt Security Policy only.
- Client certificates will be generated by each application, which must be manually approved on the server-side, also ensuring that new client adoption is controlled.
- Server certificates and their chains are scrutinized for Issuer/Trust, using appropriately configured/separated Windows X.509 certificate stores on the Client-side, to improve serviceability for security personnel who may know little or nothing about OPC-UA.
- Server certificates prove to a client (application) that it is talking to a server we have trust/control/regulate; Clients will still be required to authenticate/authorize using one of the many available UserTokenPolicy.
- Server certificates will be checked by clients for Certification Revocation Status. (Why I want the custom certificate validation)
I have a certificate chain that, succeeds when tested for Certificate Revocation status using a different implementation, but fails when using the OPC-UA specified Certificate Revocation validations.
When I say that the certificate chain succeeds using a different implementation, I mean that I have confirmed that the non-OPC implementation properly fails for a revoked certificate and passes a non-revoked certificate as it should.
I'm mostly shooting in the dark here, but maybe the OPC-UA implementation expects that a certificate identifies it's own CRL distribution point, which is different from how HTTPS and many businesses internal certificate authorities are established.
In these systems, it is common to have the issued certificate include the the CRL distribution point governing the issued certificate, and in this sense the root certificate does not include a CRL distribution point.
Again, this is just my best guess; Maybe the OPC-UA implementation has no issue with this and something else is preventing CRL validation.
Let me know what you think.
Please Log in or Create an account to join the conversation.
27 Sep 2024 19:40 #13186
by LAS.Carter
Replied by LAS.Carter on topic Controlling Certificate Validations in EasyUAClient
I appreciate that a custom certificate validations feature does not seem to coincide with the product goal of being a "quick" and/or "easy" OPC solution.
I also understand that the OPC-UA Standard and OPC Labs build upon an industry-standard/accurate X509 infrastructure, but it is more rigid than the industry-normal, which is (in just my own opinion) why the OPC-UA Reference Implementation extends the feature I used as an example.
Regarding your suggestion, I think that these options paint a user-story of security disablement rather than configuration, which is not well-intentioned; Although there are definitely exceptions, it is unlikely that your users choose to be insecure, but they must choose to be business-functional.
Although few users truly need their own custom validation code, the feature could serve as a powerful trace-point when investigating certificate issues, for users troubleshooting on their own and when working with support. (similar to attaching a `Console.WriteLine` to the `EasyUAClient.LogEntry` event)
Many users seem to approach this forum with certificate issues, after they have tried to resolve the issue for multiple days.
Ostensibly, your users seek self-sufficiency because they do not want to call themselves "security disablers".
Guiding the user story towards features that empower them, rather than taking away something they don't understand (or even know where to begin understanding) might be a long-term design goal you can agree with.
As a literal example, a user might not understand the concepts of X509 standards without examples or hand-holding; They can understand the Certificate Path tab they see when they open a '.cer' on a Windows machine, and building from this visual concept they can associate the concepts of trust-anchors, certificate Trust versus Chain Validity, etc.
Obviously your goal is to hide and expedite what can and should be generalized, so it makes sense to take an opinion to prevent extreme scope-creep, but I think that having this feature could reduce development friction.
If a developer can surface a `CertificationFailure` event using Visual Studio Intellisense, like my developers did with `EasyUAClient.LogEntry`, a developer can further 'echo-locate' themselves educationally or derive a solution that they can ship confidently.
In this sense, they can take use their development experience as an opportunity to educate themselves further, to understand why their certificates are not working.
Sorry for the long read, but if it wasn't obvious I'm definitely in favor of adding the feature
I also understand that the OPC-UA Standard and OPC Labs build upon an industry-standard/accurate X509 infrastructure, but it is more rigid than the industry-normal, which is (in just my own opinion) why the OPC-UA Reference Implementation extends the feature I used as an example.
Regarding your suggestion, I think that these options paint a user-story of security disablement rather than configuration, which is not well-intentioned; Although there are definitely exceptions, it is unlikely that your users choose to be insecure, but they must choose to be business-functional.
Although few users truly need their own custom validation code, the feature could serve as a powerful trace-point when investigating certificate issues, for users troubleshooting on their own and when working with support. (similar to attaching a `Console.WriteLine` to the `EasyUAClient.LogEntry` event)
Many users seem to approach this forum with certificate issues, after they have tried to resolve the issue for multiple days.
Ostensibly, your users seek self-sufficiency because they do not want to call themselves "security disablers".
Guiding the user story towards features that empower them, rather than taking away something they don't understand (or even know where to begin understanding) might be a long-term design goal you can agree with.
As a literal example, a user might not understand the concepts of X509 standards without examples or hand-holding; They can understand the Certificate Path tab they see when they open a '.cer' on a Windows machine, and building from this visual concept they can associate the concepts of trust-anchors, certificate Trust versus Chain Validity, etc.
Obviously your goal is to hide and expedite what can and should be generalized, so it makes sense to take an opinion to prevent extreme scope-creep, but I think that having this feature could reduce development friction.
If a developer can surface a `CertificationFailure` event using Visual Studio Intellisense, like my developers did with `EasyUAClient.LogEntry`, a developer can further 'echo-locate' themselves educationally or derive a solution that they can ship confidently.
In this sense, they can take use their development experience as an opportunity to educate themselves further, to understand why their certificates are not working.
Sorry for the long read, but if it wasn't obvious I'm definitely in favor of adding the feature
Please Log in or Create an account to join the conversation.
Moderators: support
Time to create page: 0.065 seconds