I'm using the Softing C++ UA Toolkit v5.57 to create a OPC UA client to connect to a OPC UA server. As connecting to the server requires SSL encryption (Security mode SignAndEncrypt, Security policy Basic256Sha256) I've created my own self-signed certificates using OpenSSL.
This setup worked fine until a recent update to the OPC UA server which (at the minimum) changed the way its certificates are generated. I've already re-added my self-signed certificate to the Servers trusted certificate store, as well adding the server's new certificate to my client's trusted certificate store. I can successfully connect to the server using 3rd party OPC UA clients.
However no matter what I try, I get the BadCertificateUseNotAllowed error, when trying to connect my application (which worked before) to the server - turning the trace up to maximum I can see that I successfully get the endpoints, but when changing to USAGE_SESSION I run into BadCertificateUseNotAllowed. Removing the server's certificate from my client's trusted store yields the expected "certificate untrusted" error, re-adding it returns to the "use not allowed" error.
Looking at the error description, I could only learn that... some kind of usage was not permitted for the certificate? I have already double-checked that e.g. keyEncipherment, dataEncipherment are enabled in both certificates.
One thing I saw as a notable change is that the old certificate of the OPC UA server had it as Subject Type=CA, while the new one downgraded it to Subject Type=End Entity - but as I do not use the Server's certificate as a CA it should not have any impact here, I think.
The Error Log is as follows:
Info Application::initialize(...)
Info Application::loadCertificate(...)
Info Application::loadPrivateKey(...)
Info Application::activateLicense(...)
Info Application::start(...)
Info FoundationStack::loadCertificate
Info Certificate loaded: 'C:/CERTIF~1/CERT_C~1.DER'
Info FoundationStack::loadPrivateKey
Info Application::getEndpointsFromServer(...)
Info Client session: 05483FF0 constructor
Info Secure channel: 00842FD8(00000000) constructor
Info Secure channel: 00842FD8(00000000) registered
Info Secure channel: 00842FD8(00000000) add Session (05483FF0) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842FD8(0540B838) opening sync
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: -1
Debug Connection info message security mode: 1
Info Endpoint idx : 0
Info EndpointUrl : 'opc.tcp://MO-CM-6:4842'
Info SecurityPolicyUri : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
Info SecurityMode : 2
Info TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
Info Certificate length : 917
Info Server.ServerName : 'Application 1'
Info Server.ServerUri : 'urn:OPC-UA:Application 1'
Info Server.ProductUri : 'urn:OPC-UA:Server'
Info Server.GatewayServerUri : ' -- null char* string -- '
Info Server.DiscoveryProfileUri : ' -- null char* string -- '
Info UserIdentity token policy id : open62541-certificate-policy-sign#Basic256Sha256
Info UserIdentity token policy id : open62541-username-policy-sign#Basic256Sha256
Info Endpoint idx : 1
Info EndpointUrl : 'opc.tcp://MO-CM-6:4842'
Info SecurityPolicyUri : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
Info SecurityMode : 3
Info TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
Info Certificate length : 917
Info Server.ServerName : 'Application 1'
Info Server.ServerUri : 'urn:OPC-UA:Application 1'
Info Server.ProductUri : 'urn:OPC-UA:Server'
Info Server.GatewayServerUri : ' -- null char* string -- '
Info Server.DiscoveryProfileUri : ' -- null char* string -- '
Info UserIdentity token policy id : open62541-certificate-policy-sign+encrypt#Basic256Sha256
Info UserIdentity token policy id : open62541-username-policy-sign+encrypt#Basic256Sha256
Info Secure channel: 00842FD8(0540B838) finally disconnecting sync
Info Secure channel: 00842FD8(0540B838) remove session (05483FF0) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842FD8(00000000) unregistered
Info Secure channel: 00842FD8(00000000) destructor
Info Client session: 05483FF0 destructor, secure channel: 00000000
Debug Removed SynchronizeTargetStates action
Info Update reconnect action : object state is Disconnected
Info Client session: 05522F48 constructor
Info Session::setSecurityConfiguration(...)
Info Application::addSession(...)
Info Session::isConnected(...)
Info Session::connect(...)
Info Connecting session (05522F48) reconnect: 0
Info FoundationStack::createCryptoProvider
Info Session (05522F48) doConnectDisconnect State: INIT
Info Asynchronous connect started
Debug Setting channel usage to USAGE_SESSION
Info doConnectDisconnect (session: 05522F48) getting endpoints
Debug Setting channel usage to USAGE_GETENDPOINTS
Info Secure channel: 00842678(00000000) constructor
Info Secure channel: 00842678(00000000) registered
Info Secure channel: 00842678(00000000) add Session (05522F48) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842678(0540B838) opening async
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: 917
Debug Connection info message security mode: 1
Info Secure channel: 00842678(0540B838) received stack callback (event 1)
Info Secure channel: 00842678(0540B838) connection changed to connected
Info Session : Connection status changed to: CONNECTED, status = Good
Info Session (05522F48) doConnectDisconnect State: INSECURE_CHANNEL_OPENED
Debug : Number of scheduled work items: 1
Info Secure channel open response: Good
Debug : Number of scheduled work items: 1
Info Session (05522F48) doConnectDisconnect State: GETENDPOINTS_DONE
Info GetEndpoints response: Good
Debug Setting channel usage to USAGE_GETENDPOINTS
Info Secure channel: 00842678(0540B838) closing async for session (05522F48) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842678(0540B838) finally disconnecting async
Info Secure channel: 00842678(0540B838) received stack callback (event 2)
Info Secure channel: 00842678(0540B838) connection changed to disconnected
Info Secure channel: 00842678(0540B838) remove session (05522F48) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842678(00000000) unregistered
Info Session : Connection status changed to: DISCONNECTED, status = Good
Info postDisconnectEvent Good
Debug : Number of scheduled work items: 1
Info Session (05522F48) onDisconnectEvent Old state: Connecting
Info Secure channel: 00842678(00000000) destructor
Info Session (05522F48) doConnectDisconnect State: INSECURE_CHANNEL_CLOSED
Debug Setting channel usage to USAGE_SESSION
Info Secure channel: 00842BF0(00000000) constructor
Info Secure channel: 00842BF0(00000000) registered
Info Secure channel: 00842BF0(00000000) add Session (05522F48) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842BF0(05408238) opening async
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: 917
Debug Connection info message security mode: 3
Info Update reconnect action : object state is Connecting
Info Secure channel: 00842BF0(05408238) received stack callback (event 1)
Info Secure channel: 00842BF0(05408238) connection changed to connected
Info Session : Connection status changed to: CONNECTED, status = BadCertificateUseNotAllowed
Debug : Number of scheduled work items: 1
Info Session (05522F48) doConnectDisconnect State: SECURE_CHANNEL_OPENED
Info Secure channel open response: BadCertificateUseNotAllowed
Info postDisconnectEvent BadCertificateUseNotAllowed
Debug : Number of scheduled work items: 1
Info (842) Session (05522F48) onDisconnectEvent Old state: Disconnecting
Info Session (05522F48) doConnectDisconnect State: SECURE_CHANNEL_CLOSED
Info Close secure channel response: BadCertificateUseNotAllowed
Info Secure channel: 00842BF0(05408238) remove session (05522F48) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842BF0(00000000) unregistered
Info Secure channel: 00842BF0(00000000) destructor
Info Update reconnect action : object state is Disconnected
Debug : Number of scheduled work items: 1
Info Update reconnect action : object state is Disconnected
Info Sending response to agent: BadCertificateUseNotAllowed
Info Connect session done, new state:Disconnected
Info Update reconnect action : object state is Disconnected
Error Error result from API call Session::connect(...) BadCertificateUseNotAllowed
Info Session::isConnected(...)
Info Application::removeSession(...)
Debug Removed SynchronizeTargetStates action
Info Session (05522F48) doConnectDisconnect State: INIT
Info Asynchronous disconnect started
Info channel already closed
Info Update reconnect action : object state is Disconnected
Debug : Number of scheduled work items: 1
Info Sending response to agent: Good
Debug Removed SynchronizeTargetStates action
Info Update reconnect action : object state is Disconnected
Info Client session: 05522F48 destructor, secure channel: 00000000
Debug Removed SynchronizeTargetStates action
Info Update reconnect action : object state is Disconnected
Info Application::getEndpointsFromServer(...)
Info Client session: 055231E8 constructor
Info Secure channel: 00842290(00000000) constructor
Info Secure channel: 00842290(00000000) registered
Info Secure channel: 00842290(00000000) add Session (055231E8) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842290(0540B4F8) opening sync
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: -1
Debug Connection info message security mode: 1
Info Endpoint idx : 0
Info EndpointUrl : 'opc.tcp://MO-CM-6:4842'
Info SecurityPolicyUri : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
Info SecurityMode : 2
Info TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
Info Certificate length : 917
Info Server.ServerName : 'Application 1'
Info Server.ServerUri : 'urn:OPC-UA:Application 1'
Info Server.ProductUri : 'urn:OPC-UA:Server'
Info Server.GatewayServerUri : ' -- null char* string -- '
Info Server.DiscoveryProfileUri : ' -- null char* string -- '
Info UserIdentity token policy id : open62541-certificate-policy-sign#Basic256Sha256
Info UserIdentity token policy id : open62541-username-policy-sign#Basic256Sha256
Info Endpoint idx : 1
Info EndpointUrl : 'opc.tcp://MO-CM-6:4842'
Info SecurityPolicyUri : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
Info SecurityMode : 3
Info TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
Info Certificate length : 917
Info Server.ServerName : 'Application 1'
Info Server.ServerUri : 'urn:OPC-UA:Application 1'
Info Server.ProductUri : 'urn:OPC-UA:Server'
Info Server.GatewayServerUri : ' -- null char* string -- '
Info Server.DiscoveryProfileUri : ' -- null char* string -- '
Info UserIdentity token policy id : open62541-certificate-policy-sign+encrypt#Basic256Sha256
Info UserIdentity token policy id : open62541-username-policy-sign+encrypt#Basic256Sha256
Info Secure channel: 00842290(0540B4F8) finally disconnecting sync
Info Secure channel: 00842290(0540B4F8) remove session (055231E8) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842290(00000000) unregistered
Info Secure channel: 00842290(00000000) destructor
Info Client session: 055231E8 destructor, secure channel: 00000000
Debug Removed SynchronizeTargetStates action
Info Update reconnect action : object state is Disconnected
Info Client session: 055231E8 constructor
Info Session::setSecurityConfiguration(...)
Info Application::addSession(...)
Info Session::isConnected(...)
Info Session::connect(...)
Info Connecting session (055231E8) reconnect: 0
Info Session (055231E8) doConnectDisconnect State: INIT
Info Asynchronous connect started
Debug Setting channel usage to USAGE_SESSION
Info doConnectDisconnect (session: 055231E8) getting endpoints
Debug Setting channel usage to USAGE_GETENDPOINTS
Info Secure channel: 00842420(00000000) constructor
Info Secure channel: 00842420(00000000) registered
Info Secure channel: 00842420(00000000) add Session (055231E8) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842420(0540B4B8) opening async
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: 917
Debug Connection info message security mode: 1
Info Secure channel: 00842420(0540B4B8) received stack callback (event 1)
Info Secure channel: 00842420(0540B4B8) connection changed to connected
Info Session : Connection status changed to: CONNECTED, status = Good
Debug : Number of scheduled work items: 1
Info Session (055231E8) doConnectDisconnect State: INSECURE_CHANNEL_OPENED
Info Secure channel open response: Good
Debug : Number of scheduled work items: 1
Info Session (055231E8) doConnectDisconnect State: GETENDPOINTS_DONE
Info GetEndpoints response: Good
Debug Setting channel usage to USAGE_GETENDPOINTS
Info Secure channel: 00842420(0540B4B8) closing async for session (055231E8) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842420(0540B4B8) finally disconnecting async
Info Secure channel: 00842420(0540B4B8) received stack callback (event 2)
Info Secure channel: 00842420(0540B4B8) connection changed to disconnected
Info Secure channel: 00842420(0540B4B8) remove session (055231E8) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842420(00000000) unregistered
Info Session : Connection status changed to: DISCONNECTED, status = Good
Info postDisconnectEvent Good
Debug : Number of scheduled work items: 1
Info Session (055231E8) onDisconnectEvent Old state: Connecting
Info Session (055231E8) doConnectDisconnect State: INSECURE_CHANNEL_CLOSED
Debug Setting channel usage to USAGE_SESSION
Info Secure channel: 00842678(00000000) constructor
Info Secure channel: 00842420(00000000) destructor
Info Secure channel: 00842678(00000000) registered
Info Secure channel: 00842678(00000000) add Session (055231E8) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842678(05408538) opening async
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: 917
Debug Connection info message security mode: 3
Info Update reconnect action : object state is Connecting
Info Secure channel: 00842678(05408538) received stack callback (event 1)
Info Secure channel: 00842678(05408538) connection changed to connected
Info Session : Connection status changed to: CONNECTED, status = BadCertificateUseNotAllowed
Info Session (055231E8) doConnectDisconnect State: SECURE_CHANNEL_OPENED
Info Secure channel open response: BadCertificateUseNotAllowed
Debug : Number of scheduled work items: 1
Info postDisconnectEvent BadCertificateUseNotAllowed
Debug : Number of scheduled work items: 1
Info Session (055231E8) onDisconnectEvent Old state: Disconnecting
Info Session (055231E8) doConnectDisconnect State: SECURE_CHANNEL_CLOSED
Info Close secure channel response: BadCertificateUseNotAllowed
Info Secure channel: 00842678(05408538) remove session (055231E8) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842678(00000000) unregistered
Info Secure channel: 00842678(00000000) destructor
Info Update reconnect action : object state is Disconnected
Debug : Number of scheduled work items: 1
Info Update reconnect action : object state is Disconnected
Info Sending response to agent: BadCertificateUseNotAllowed
Info Connect session done, new state:Disconnected
Info Update reconnect action : object state is Disconnected
Error Error result from API call Session::connect(...) BadCertificateUseNotAllowed
This question is a longshot, I know, but maybe someone else has an idea where I might look next to resolve it.
Here's the openssl x509 -inform der for me certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = My Company, OU = IA, CN = MyApplication, DC = MY-PC
Validity
Not Before: Sep 9 13:10:30 2024 GMT
Not After : Sep 11 13:10:30 2123 GMT
Subject: O = My Company, OU = IA, CN = MyApplication, DC = MY-PC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ef:ce:70:8d:4c:10:2c:ff:73:72:26:75:6a:95:
a5:96:b5:3a:87:02:18:28:1b:38:4c:c9:0d:61:34:
22:5e:e9:78:f2:6c:d4:e2:af:ef:c1:96:20:35:35:
be:59:14:e2:00:ed:47:63:72:1e:a2:d8:8e:1e:88:
fb:64:87:8b:f2:b8:d3:c7:31:3d:53:1c:3a:79:07:
db:4c:35:a4:7e:73:69:68:b7:ef:6a:92:cd:da:6d:
ae:ec:76:1a:31:60:62:c6:e8:ec:db:ad:3a:ee:de:
fb:92:75:1c:41:09:fe:3f:8f:f4:e0:76:e9:ef:30:
8a:4a:8a:81:86:68:1c:9b:a2:ac:75:fd:ef:fb:6e:
a5:aa:82:3e:48:22:12:5f:7b:d7:04:a4:29:5b:63:
94:f6:a7:46:73:09:5f:86:a8:ab:af:1a:6f:2c:f7:
55:30:4a:2c:2b:03:a0:77:d9:50:f1:32:c8:68:37:
86:1f:41:b7:42:03:bf:09:ef:98:c6:84:d0:90:29:
2d:40:1e:4d:85:d6:ba:8c:e0:12:d9:18:d8:41:b9:
98:83:af:c2:a7:25:9a:21:e2:82:67:48:54:f7:95:
51:da:7f:4c:85:2a:cf:f3:a8:3e:c5:8e:30:a2:a8:
22:32:79:c2:83:05:82:5d:98:37:eb:bc:73:44:ad:
a6:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E1:97:EC:D9:63:07:2F:4A:E6:37:CF:39:98:1F:8E:3C:08:47:BE:2F
X509v3 Authority Key Identifier:
keyid:E1:97:EC:D9:63:07:2F:4A:E6:37:CF:39:98:1F:8E:3C:08:47:BE:2F
DirName:/O=My Company/OU=IA/CN=MyApplication/DC=MY-PC
serial:00
X509v3 Subject Alternative Name:
URI:urn:MY-PC/MyApplication
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
10:a4:37:0f:cd:c2:cf:94:20:f8:ba:80:24:92:9c:55:77:90:
e2:6b:66:fc:2e:64:ab:6b:67:a6:0c:ab:0a:42:69:0e:67:42:
22:20:f2:73:cc:83:56:fe:9f:65:8d:fb:7e:9a:7f:b9:01:b1:
0a:d4:71:77:58:ed:81:60:f0:f4:45:55:75:12:7a:34:00:8c:
1e:2d:95:8e:a0:7f:f7:b9:6d:0f:77:9e:be:67:6b:47:20:1e:
cf:30:d8:6a:55:a5:4c:b2:5e:5e:65:81:ab:f7:22:d7:09:9f:
3a:ce:4f:f7:b5:39:ef:5d:a5:99:5e:ba:67:08:76:5e:78:33:
d7:37:56:57:87:60:8e:0e:78:f7:45:c1:ca:68:5a:d5:99:6e:
2d:12:a1:d3:ec:e1:d6:35:2c:3b:bc:8e:08:b3:33:c4:6f:2a:
7a:d7:e5:d3:0c:68:b0:6f:f0:91:5c:f9:f4:bc:fe:b6:4b:79:
5d:23:0b:1d:48:57:1b:cb:8c:dd:33:f7:f0:af:df:07:1b:ed:
9d:fd:0b:f5:27:56:28:e1:d2:9b:a2:22:68:9b:ce:45:34:cb:
2d:58:f7:d7:32:d9:63:d9:d0:75:01:fb:b4:a1:3a:59:b8:e0:
c8:6f:80:db:91:27:3a:ad:34:7b:3f:8d:5f:de:30:29:18:41:
47:7e:0a:b8
X509v3 Basic Constraints: CA:TRUE
This may be your issue.
Have a look at https://reference.opcfoundation.org/Core/Part6/v105/docs/6.2.2 to get an idea of what's required of your application instance certificate.
In particular:
The cA flag shall be FALSE for any ApplicationInstance Certificate, however, TRUE shall be accepted to ensure backward interoperability when validating ApplicationInstance Certificates, if revocation checks are enabled. If revocation checks are disabled then a Certificate with the cA flag set to TRUE should not be accepted. It should be possible to disable backward interoperability in configuration.