Professional OPC
Development Tools

logos

Online Forums

Technical support is provided through Support Forums below. Anybody can view them; you need to Register/Login to our site (see links in upper right corner) in order to Post questions. You do not have to be a licensed user of our product.

Please read Rules for forum posts before reporting your issue or asking a question. OPC Labs team is actively monitoring the forums, and replies as soon as possible. Various technical information can also be found in our Knowledge Base. For your convenience, we have also assembled a Frequently Asked Questions page.

Do not use the Contact page for technical issues.

OPC UA Certificate trust - Status Code: {BadCertificateUntrusted} = 0x801A0000

More
09 Oct 2021 15:14 #10261 by support
I see.

I also do not know why it can happen (that the certificate copy does not appear in the trusted peers store). I cannot reproduce it here. If you had a virtual machine that has this problem, or a reproducible to get to that state (something installing specific Windows version with specific configuration etc.), I would be more than happy to find the cause, but without a repro, it is hard to tell.

I can imagine that permissions might be the cause, as you have suggested. But it can also be something else.

Best regards

Please Log in or Create an account to join the conversation.

More
08 Oct 2021 16:27 #10260 by Restrepo
Thank you for your answer. So let me clarify a bit more. The problem is that the customer is encountering has been resolved by following your guidance in this post:

www.opclabs.com/forum/quickopc-ua18/2243-impossible-to-conne...op-server-in-same-network#9032

Now, you stated "When an application based on OPC Data Client auto-generates its application certificate, it places it into both stores. This allows other applications based on UA .NET Framework SDK residing on the same machine immediately trust it." - but I do not believe that is the case in some "random" cases. Is this due to permissions? I am not sure.

In this case, the customer had to follow our instructions based on the blog post above because the certificate was not stored in both paths. Basically, the certificate was never stored in the "UA Applications" path but it was in the MachineDefault path. I am trying to understand why this is happening in some systems, but in other systems, we can find the cert stored in both paths.

Please Log in or Create an account to join the conversation.

More
07 Oct 2021 07:59 #10259 by support
Hello.

The "MachineDefault" is the application certificate store - it is where the applications based on UA .NET Framework SDK store their *own* certificates, including their private keys.

The "UA Applications" is the trusted peers certificate store - this is where the applications based on UA .NET Framework SDK look when they validate the certificate received from the other party (client or server). There are no private keys in this store.

When an application based on OPC Data Client auto-generates its application certificate, it places it into both stores. This allows other applications based on UA .NET Framework SDK residing on the same machine immediately trust it.

More information:
- opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...%20Instance%20Certificate.html
- opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...%20Instance%20Certificate.html
- opclabs.doc-that.com/files/onlinedocs/QuickOpc/Latest/User%2...html#Certificate%20Stores.html

The example you pointed to serves a different purpose from what you stated. Its purpose is to show how to use the (presumably more secure) Windows "native" certificate stores - as opposed to a directory-based store which is the default.

Regarding the actual error you customer is seeing, if you need help with that, I have some questions:
- Which product version?
- How have you come to conclusion that "the OPC UA Client's certificate being in the correct Certificate Store on the machine"?
- Is there a StackTrace in the exception object? Can you provide it? Is there an InnerException? Can you provide it? etc.
- Please hook a handler to the static EasyUAClient.LogEntry event, and capture all event texts produced.

Best regards

Please Log in or Create an account to join the conversation.

More
06 Oct 2021 12:48 #10258 by Restrepo
Hello Z,

Currently, I am working with a customer who encountered the error:

OPC-UA service result - Self Signed Certificate is not trusted.
IssuerName: CN=EasyOPC-UA Demo, DC=kubernetes.docker.internal = BadCertificateUntrusted.
---- SERVICE RESULT ----
Status Code: {BadCertificateUntrusted} = 0x801A0000 (2149187584)
-=-=-Description: Self Signed Certificate is not trusted.
IssuerName: CN=EasyOPC-UA Demo, DC=kubernetes.docker.internal
Additional Info: <ExceptionTrace>

Now, we know that the issue is that this is not an issue with the OPC UA Client trusting the OPC UA Server certificate, but rather the OPC UA Client's certificate being in the correct Certificate Store on the machine. We also know that the code used in the OPC Data Client from the OPC Foundation requires the Client application certificate to be present in the Trusted Peers Certificate Store, which in this case is %CommonApplicationData%\OPC Foundation\CertificateStores\UA Applications.

Now, I am curious, and I was hoping you can provide me with an answer or perhaps point me on the right path - Do you know what determines where that certificate is executed by default? In other words, do you know why in some machines the certificate is in the "MachineDefault" path, and on other machines, it is in the "UA Applications" path?

Now, to remedy this, should I be able to just use this exampleexample to always force the certificate to be executed in UA Application path?

Thank you in advance.

Please Log in or Create an account to join the conversation.

Moderators: support
Time to create page: 0.047 seconds