UA Bundle SDK .NET  2.2.2.260
 All Classes Namespaces Functions Variables Enumerations Enumerator Properties Events Groups Pages
Certificate Validation

Overview

Security in OPC UA requires the use of X509 certificates which require validation whenever a client connects to a server. The ApplicationInstance object places the object that validates these certificates in the CertificateValidator property. Applications can handle validation errors by processing the CertificateValidation event raised by this object. There are additional checks done by the Session object which can be handled by processing SessionValidationError event on the Session object.

Managing Certificates

Certificates are blobs of data which can be stored on disk or in a Windows certificate store. Each certificate has a public key and a private key. The private key must be protected and is only accessible to the owner of the certificate. The public key can be distributed to anyone. The public key and private key are stored in separate files for this reason.

A certificate and public key are usually stored in a DER format which uses the .der or *.cer extension.

The private key is usually stored in a PKSC#12 format (*.pfx or *.p12 extension) or a PEM format (*.pem extension). If a certificate is placed a Windows certificate store the private key is placed in a file managed by Windows

A more detailed explanation of certificate management can be found here.

Client Certificate Validation Process

The certificate validation in the client process is shown in the diagram below:

The FindIssuer action starts if the certificate being validated was issued by a CA. This action repeats if the CA certificate was issued by another CA until the entire trust chain is collected. When searching for CA certificates the validator starts in the trust list for the application and then checks the issuers list. If an issuer cannot be found, the certificate is rejected.

The CheckSignatures action starts once the validator has the entire trust chain. The signature on each certificate in the chain is checked and if there are any errors, the certificate is rejected.

The CheckExpiryTime action checks that the certificate is within its validity period. If it fails, an error is raised that can be overridden by the application.

The CheckUse action checks that the certificate is allowed to be used as an application certificate. If it fails, an error is raised that can be overridden by the application.

The CheckTrustList action checks that the certificate or one of its issuers is in the trust list for the application. If it fails, an error is raised that can be overridden by the application.

The CertificateValidationError action raises an event (CertificateValidation on the CertificateValidator object) that allows the application to ignore errors with expiry time, certificate usage or trust status. If rejected, the certificate is saved in the rejected certificate store.

The CheckApplicationUri action checks that the certificate has an application URI which matches the Server being used to connect to it. If it fails, an error is raised that can be overridden by the application.

The CheckDomains action checks that endpoint URL has a domain that appears in the certificate. If it fails, an error is raised that can be overridden by the application.

The SessionValidationError action raises an event (SessionValidationError on the Session object) that allows the application to ignore errors with the application URI or domains.