Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

Certificate's signature algorithm

More
11 Jun 2020 08:28 #8567 by KrisSik
Hello,

Thank you for the explanation.

I tried 2 ways to generate the certificate, but all of them failed. And now I know the reason for each.
I was trying to implement my own code for creating certificate (without using Bounty Castle lib), but as I can see now it has .NET framework issue, which takes too much time to solve.
I was trying to use OPC UA Configuration tool to generate certificate, but that also fails, as this tool generates certificate with incorrect signature algorithm, which can't be changed. By the way, this tool comes with QuickOpc Launcher, which is strange as it's certificates are not accepted by QuickOpc's certificate validation.

But yes, actually I can use Opc.Ua.CertificateGenerator.exe, and I will probably do that.

Best regards,
Kristian

Please Log in or Create an account to join the conversation.

More
09 Jun 2020 16:35 #8561 by support
If the provider type is not supported by the /NET Framework, then it is no-go for us, with that certificate.

I am kind of lost of what is what you are trying to achieve. Can you please "start over" and explain that?
Why cannot you use the mechanism built-in to QuickOPC to generate the application certificate?
And, if you want to use your own application certificate, have you attempted to use the Opc.Ua.CertificateGenerator.exe utility (installed alongside the Opc.Ua.ConfigurationTool.exe)?

Best regards

Please Log in or Create an account to join the conversation.

More
09 Jun 2020 16:31 #8560 by support
The best venue to ask about purpose of application URIs would be opcfoundation.org/forum/ .

But in general, in my own words and understanding, the application URI in OPC UA is important so that your program knows what is the other party (server or client) it communicates with. It is a logical identification of the application on the other side, which does not change over time. Other pieces of information, such as endpoint URL, or the other party's application certificate, cannot fulfill that role, because they can change over time as the systems gets physically updated or reconfigured. But the application URI is meant to stay. It can be used, among other things, to distinguish the role(s) the other application is in, and therefore the operations it has permissions to perform.

I do not quite understand the part of your question about "OPC UA Configuration tool". I am actually not aware about a way to use it to generate new certificates for QuickOPC; if, what you are referring to, is the "Create Application Certificate" on the "Manage Application" tab, then this is meant for applications that actually a particular application configuration model based on XML configuration files - which QuickOPC does *not* use.

Best regards
The following user(s) said Thank You: KrisSik

Please Log in or Create an account to join the conversation.

More
09 Jun 2020 09:44 #8556 by KrisSik
Hi,

You are right, I tried to read PrivateKey property and looks like it's impossible. I used a certutil tool, and found out it has a different provider type, which is not supported by .NET Framework.
And regarding the algorithm, I asked that because OPC UA Configuration tool generates certificate with sha1RSA signature algorithm.

Best regards,
Kristian Sik

Please Log in or Create an account to join the conversation.

More
09 Jun 2020 08:51 #8555 by KrisSik
Hi,

Thank you for the description. I can't understand what is the rationale for specifying application URI, could you please explain?

I was also trying to generate a certificate using OPC UA Configuration tool (which comes with QuickOpc Launcher), but that certificate is also being replaced. Is there a way to generate valid certificate using this tool?

Thanks in advance.

Best regards,
Kristian

Please Log in or Create an account to join the conversation.

More
01 Jun 2020 16:07 - 09 Jun 2020 09:00 #8537 by support
OK - you may have different issues with different certificates.

I have checked what conditions are there when checking the application certificate - we will extend the documentation so that this is clearer in the future. Here is what the documentation will say:

If the application instance certificate is found in the appropriate certificate store, QuickOPC checks the certificate. If any checks fails, QuickOPC create a new certificate and replaces the certificate in the store.
1.The certificate must be valid.
2.The size of the certificate's public key must be at least the minimum size. Currently, QuickOPC uses zero as minimum size, therefore all certificates pass this check.
3.If the application type includes a Server, the certificate's domains are checked against the server configuration. QuickOPC applications are normally client-only (unless you specify otherwise), and therefore this check always passes in the default QuickOPC configuration.
4.The application URI must be specified (non-empty) in the certificate. The application URI is an URI from the certificate extension with OID 2.5.29.7 (subjectAltName) or 2.5.29.17 (Subject Alternative Name).

So yes, please always put the "Subject alternative name" into your certificate - without it it won't work.

But, this recent trace you posted fails on the certificate even before that. The error is "Invalid provider type specified." and it is an exception generated when the code tries to access the PrivateKey property of X509Certificate2 in .NET. We might be facing some .NET Framework limitation here.

Can you make a small program in .NET Framework and see if it can, with no OPC UA involved, access the Private Key of your certificate?
Or, can you send the certificate to us? - for security, it can be via email - or with a private key different from what you normally use - or both.
You started this thread with a requirement to use a different signature algorithm - so I suppose that is what you have used, a "different" one - likely, this is related to the issue - which algorithm is it then?

(Side note: The private key wouldn't be accessed at this place if Windows certificate store was used).

Thank you
Last edit: 09 Jun 2020 09:00 by support.

Please Log in or Create an account to join the conversation.

More
01 Jun 2020 12:06 #8535 by KrisSik
Unfortunately, the certificate which I used while recording previous traces, doesn't have that extension, but another one has (so I recorded the traces again, please find that in the attachments).

The "Subject alternative name" (which has OID 2.5.39.17) of that certificate contains value like this:
URL=CompanyName-PC13:OpcUaTool
DNS Name=CompanyName-PC13
Attachments:

Please Log in or Create an account to join the conversation.

More
01 Jun 2020 11:29 #8534 by support
Thank you.

A question: What do you put (if anything) as Application URI into your certificate? It should be in extension with OID 2.5.29.7 or 2.5.29.17 .

Thank you

Please Log in or Create an account to join the conversation.

More
01 Jun 2020 10:32 #8533 by KrisSik
Yes, you are right, I missed that. Sorry for that.
Here is the new traces file.
Attachments:

Please Log in or Create an account to join the conversation.

More
01 Jun 2020 10:18 #8532 by support
Unfortunately you missed the parts that I wanted. Check the Web page again, and make sure you have this as well:
   <configSections>
     <section
       name="OpcLabs.EasyOpc.UA.Toolkit.SdkTrace"
       type="OpcLabs.EasyOpc.UA.Toolkit.SdkTraceSection,OpcLabs.EasyOpcUA" />
   </configSections>
   <OpcLabs.EasyOpc.UA.Toolkit.SdkTrace traceOutput="3" >
   </OpcLabs.EasyOpc.UA.Toolkit.SdkTrace>

Optionally, to reduce the info that is not necessary, please remove this line:
<add name="OpcLabs.Reflection.AssemblyLoading" value="1" />
Thank you

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.063 seconds