- Posts: 23
- Thank you received: 1
Online Forums
Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.
Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.
Do not use the Contact page for technical issues.
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Certificate's signature algorithm
Certificate's signature algorithm
Thank you for the explanation.
I tried 2 ways to generate the certificate, but all of them failed. And now I know the reason for each.
I was trying to implement my own code for creating certificate (without using Bounty Castle lib), but as I can see now it has .NET framework issue, which takes too much time to solve.
I was trying to use OPC UA Configuration tool to generate certificate, but that also fails, as this tool generates certificate with incorrect signature algorithm, which can't be changed. By the way, this tool comes with QuickOpc Launcher, which is strange as it's certificates are not accepted by QuickOpc's certificate validation.
But yes, actually I can use Opc.Ua.CertificateGenerator.exe, and I will probably do that.
Best regards,
Kristian
Please Log in or Create an account to join the conversation.
I am kind of lost of what is what you are trying to achieve. Can you please "start over" and explain that?
Why cannot you use the mechanism built-in to QuickOPC to generate the application certificate?
And, if you want to use your own application certificate, have you attempted to use the Opc.Ua.CertificateGenerator.exe utility (installed alongside the Opc.Ua.ConfigurationTool.exe)?
Best regards
Please Log in or Create an account to join the conversation.
But in general, in my own words and understanding, the application URI in OPC UA is important so that your program knows what is the other party (server or client) it communicates with. It is a logical identification of the application on the other side, which does not change over time. Other pieces of information, such as endpoint URL, or the other party's application certificate, cannot fulfill that role, because they can change over time as the systems gets physically updated or reconfigured. But the application URI is meant to stay. It can be used, among other things, to distinguish the role(s) the other application is in, and therefore the operations it has permissions to perform.
I do not quite understand the part of your question about "OPC UA Configuration tool". I am actually not aware about a way to use it to generate new certificates for QuickOPC; if, what you are referring to, is the "Create Application Certificate" on the "Manage Application" tab, then this is meant for applications that actually a particular application configuration model based on XML configuration files - which QuickOPC does *not* use.
Best regards
Please Log in or Create an account to join the conversation.
You are right, I tried to read PrivateKey property and looks like it's impossible. I used a certutil tool, and found out it has a different provider type, which is not supported by .NET Framework.
And regarding the algorithm, I asked that because OPC UA Configuration tool generates certificate with sha1RSA signature algorithm.
Best regards,
Kristian Sik
Please Log in or Create an account to join the conversation.
Thank you for the description. I can't understand what is the rationale for specifying application URI, could you please explain?
I was also trying to generate a certificate using OPC UA Configuration tool (which comes with QuickOpc Launcher), but that certificate is also being replaced. Is there a way to generate valid certificate using this tool?
Thanks in advance.
Best regards,
Kristian
Please Log in or Create an account to join the conversation.
I have checked what conditions are there when checking the application certificate - we will extend the documentation so that this is clearer in the future. Here is what the documentation will say:
If the application instance certificate is found in the appropriate certificate store, QuickOPC checks the certificate. If any checks fails, QuickOPC create a new certificate and replaces the certificate in the store.
1.The certificate must be valid.
2.The size of the certificate's public key must be at least the minimum size. Currently, QuickOPC uses zero as minimum size, therefore all certificates pass this check.
3.If the application type includes a Server, the certificate's domains are checked against the server configuration. QuickOPC applications are normally client-only (unless you specify otherwise), and therefore this check always passes in the default QuickOPC configuration.
4.The application URI must be specified (non-empty) in the certificate. The application URI is an URI from the certificate extension with OID 2.5.29.7 (subjectAltName) or 2.5.29.17 (Subject Alternative Name).
So yes, please always put the "Subject alternative name" into your certificate - without it it won't work.
But, this recent trace you posted fails on the certificate even before that. The error is "Invalid provider type specified." and it is an exception generated when the code tries to access the PrivateKey property of X509Certificate2 in .NET. We might be facing some .NET Framework limitation here.
Can you make a small program in .NET Framework and see if it can, with no OPC UA involved, access the Private Key of your certificate?
Or, can you send the certificate to us? - for security, it can be via email - or with a private key different from what you normally use - or both.
You started this thread with a requirement to use a different signature algorithm - so I suppose that is what you have used, a "different" one - likely, this is related to the issue - which algorithm is it then?
(Side note: The private key wouldn't be accessed at this place if Windows certificate store was used).
Thank you
Please Log in or Create an account to join the conversation.
The "Subject alternative name" (which has OID 2.5.39.17) of that certificate contains value like this:
URL=CompanyName-PC13:OpcUaTool
DNS Name=CompanyName-PC13
Please Log in or Create an account to join the conversation.
A question: What do you put (if anything) as Application URI into your certificate? It should be in extension with OID 2.5.29.7 or 2.5.29.17 .
Thank you
Please Log in or Create an account to join the conversation.
Here is the new traces file.
Please Log in or Create an account to join the conversation.
<configSections>
<section
name="OpcLabs.EasyOpc.UA.Toolkit.SdkTrace"
type="OpcLabs.EasyOpc.UA.Toolkit.SdkTraceSection,OpcLabs.EasyOpcUA" />
</configSections>
<OpcLabs.EasyOpc.UA.Toolkit.SdkTrace traceOutput="3" >
</OpcLabs.EasyOpc.UA.Toolkit.SdkTrace>
Optionally, to reduce the info that is not necessary, please remove this line:
<add name="OpcLabs.Reflection.AssemblyLoading" value="1" />
Please Log in or Create an account to join the conversation.
- Forum
- Discussions
- QuickOPC-UA in .NET
- Connections, Reconnections, Certificates
- Certificate's signature algorithm