.NET Based OPC UA Client/Server SDK  3.3.3.537
Certificate Validation

Overview

Security in OPC UA requires the use of X509 certificates which require validation whenever a client connects to a server. The ApplicationInstance object places the object that validates these certificates in the CertificateValidator property. Applications can handle validation errors by processing the CertificateValidation event raised by this object. There are additional checks done by the Session object which can be handled by processing UntrustedCertificate event on the ApplicationInstance object.

Client Certificate Validation Process

The certificate validation in the client process is shown in the diagram below:

l3baselibcertvalidationclientcertvalidationprocess.png

The FindIssuer action starts if the certificate being validated was issued by a CA. This action repeats if the CA certificate was issued by another CA until the entire trust chain is collected. When searching for CA certificates the validator starts in the trust list for the application and then checks the issuers list. If an issuer cannot be found, the certificate is rejected.

The CheckSignatures action starts once the validator has the entire trust chain. The signature on each certificate in the chain is checked and if there are any errors, the certificate is rejected.

The CheckExpiryTime action checks that the certificate is within its validity period. If it fails, an error is raised that can be overridden by the application.

The CheckUse action checks that the certificate is allowed to be used as an application certificate. If it fails, an error is raised that can be overridden by the application.

The CheckTrustList action checks that the certificate or one of its issuers is in the trust list for the application. If it fails, an error is raised that can be overridden by the application.

The CertificateValidationError action raises an event (CertificateValidation on the CertificateValidator object) that allows the application to ignore errors with expiry time, certificate usage or trust status. If rejected, the certificate is saved in the rejected certificate store.

The CheckApplicationUri action checks that the certificate has an application URI which matches the Server being used to connect to it. If it fails, an error is raised that can be overridden by the application.

The CheckDomains action checks that endpoint URL has a domain that appears in the certificate. If it fails, an error is raised that can be overridden by the application.

The UntrustedCertificate action raises an event (UntrustedCertificate on the ApplicationInstance object) that allows the application to ignore errors with the application URI or domains.