You still fail to understand that there are two separate authentications:
- application authentication
- user authentication

Study the related OPC UA specifications if you want to learn more. In general, the idea is that one application can be used by multiple users. So for security reasons, one needs to verify that 1) it is is communicating with the right application, and not some spoofed one, AND 2) the user that is controlling the application is the right user.

You now have the application authenticated. But not the user.

You can either:
A ) Enable anonymous user in KEPServerEX: in KEPServerEX 6 Configuration, do Edit -> Properties. Then, under OPC UA, set "Allow anonymous login" to yes.
B ) Make use of user authentication. For this you will need to configure the user(s) in KEPServer EX, and then set the username/password in the UAEndpointDescriptor: use the .WithUserNameIdentity extension method.

I hope this helps
Best regards

So I did what you asked I removed the line of setting my own store path and I moved the certificate from the rejected path to UA applications. For me its still denying the connection. This is the error I receive, could this be an issue with not allowing for anonymous logins? I thought if you presented it with a certificate from the server it shouldn't matter or is that incorrect?

Also I tried this as well with my own cert store and I zipped that here along with the default with my changes.

The reason for all the questions is we are required to have a specific configuration on the server and I am trying to investigate all possible authentication routes so thank you for the help.

Hello.
You are making it much more complex than it needs to be.

Just do this:
1. Remove the line where you set your own store path.
2. Remove the .WithX509CertificatIdentity call
3. Under your project's output directory (OPCEncryptionTesting\OPCEncryptionTesting\bin\Debug\net8.0), copy the rejected server certificate "+KEPServerEX+UA Server+ [F690068F8490EC7AF468C83373149FF45147B5D3].der" from "OPC Foundation\CertificateStores\RejectedCertificates\certs" to "OPC Foundation\CertificateStores\UA Applications\certs".

And you are done.

It is true that the same can be made to work when you specify your own certificate store path (without Step 1). But since that points to a directory of which you have not provided a zipped contents, I could not diagnose it.

Also, pressing 'P' to trust the certificate permanently should have the same effect as copying.

WithX509CertificatIdentity deals with *user* authentication, not *application* authentication, and is thus a different beast, for a different purpose altogether, so you should not bring this in here. In addition, I think that KepServerEx does not support user authentication through certificates, it uses username/password.

Best regards

Hello,

I have several questions on how certain parts of OPC Labs library works. First is the loading of a clients certificate to present to a kepware server. I thought previously that you only had to place a copy of the kepware's server certificate in the clients trusted store/file path which I have but I still fail authentication.

I have listed a picture of the error below. I also have labeled it as a trusted client and set the kepware server to not allow for anonymous connections. It seems to me it never properly loads the certificate or am I mistaken? Instead I tried authentication using x509 certificate identity like this

var attribute = client.Read(endpointDescriptor.WithX509CertificateIdentity("C:\\TestingMyOwnCertStore\\certs\\f690068f8490ec7af468c83373149ff45147b5d3.der", string.Empty), "nsu=KEPServerEX ;ns=2;s=Channel1.Device1.Tag1");

and this does not work either. I have attached my program below is there some kind of configuration I am missing? Is it possible to do it both ways one manually moving the certificate into the store file path or loading it via x509 method calls? If so can you explain both to me?