UA uses X509 certificates to authenticate client and server application domains. See UA Security for details.
UA clients must create a certificate and the server must know this certificate as a trusted certificate.
The client must know the server certificate as a trusted certificate before the server can be connected.
OpcDA.NET-UA manages certificates in the Windows Certificate Store.
The UAClientConfigHelper utility creates and exports client certificates and imports server certificates.
UA applications from different vendors may use different certificates stores and certificates may have exchanged even if server and client run on the same machine.
Certificates should be created for at least SHA256. SHA1 doesn't provide acceptable security.
Accepting un trusted server certificates can be handled
- by importing the server certificate with the UaClientConfigHelper utility
- in the OpcDA.NET-UA based client code
if the application defines a handler in the static OpcServer.OnNotifyUntrustedCertificate property.
Sample:
. . . .
OpcServer.NotifyUntrustedCertificate += new OnNotifyUntrustedCertificate(onSessionNotifyUntrustedCertificate);
....
}
//---------is called when the UA server certificate is un trusted
private int OnNotifyUntrustedCertificate(string certificateSubjectName)
{
DialogResult dr = MessageBox.Show("The server certificate is not trusted. Do you want to accept it ? "
+ "Click CANCEL to accept it for this session. Click YES to accept it permanently.",
"UA Server Access", MessageBoxButtons.YesNoCancel);
if (dr == DialogResult.Yes)
return 1; // accept permanently
if (dr == DialogResult.Cancel)
return 0; // accept for this session
else
return -1; //reject
}
Important: In most cases the application must run in an Administrator user account to have the permission to write the certificate store.
Accepting server certificate with invalid host name
Certificates are issued for a domain (machine name in a LAN) and are used to certify that responses from the server actually come from the domain of the accessed UA server.
Some server installations copy the certificate instead of issuing a new certificate for the domain. This causes secure connections to fail with error BadCertificateHostNameInvalid
Some UA applications ignore this error and accept certificates issued for another domain, despite this nullifying the main purpose of using certificates.
OpcDA.NET-UA by default fails secure connections to a server with a certificate for another domain. To access such servers anyway (with reduced security) the check can be disabled by setting the OpcServer class property
CertificateDomainMustMatch = false;
after the OpcServer class instance is created.
Server accepting the client certificate
If the UA server is on another machine or uses a different certificate store than OpcDA.NET-UA then the certificate created for the client application is not known/trusted by the server.
The procedure to accept the client certificate as a trusted certificate depends on the server. If the server has a user interface then there may be a dialog to accept the certificate. Otherwise the server documentation should explain the procedure.
Some servers store un trusted certificate in a 'untrusted' certificate store, which may be a directory. The operator then can move the certificate to the 'trusted' certificate store to declare is as trusted.