ssl-certificateopc-ua

OPC UA Client certificate connection problem: BadCertificateUseNotAllowed


I'm using the Softing C++ UA Toolkit v5.57 to create a OPC UA client to connect to a OPC UA server. As connecting to the server requires SSL encryption (Security mode SignAndEncrypt, Security policy Basic256Sha256) I've created my own self-signed certificates using OpenSSL.

This setup worked fine until a recent update to the OPC UA server which (at the minimum) changed the way its certificates are generated. I've already re-added my self-signed certificate to the Servers trusted certificate store, as well adding the server's new certificate to my client's trusted certificate store. I can successfully connect to the server using 3rd party OPC UA clients.

However no matter what I try, I get the BadCertificateUseNotAllowed error, when trying to connect my application (which worked before) to the server - turning the trace up to maximum I can see that I successfully get the endpoints, but when changing to USAGE_SESSION I run into BadCertificateUseNotAllowed. Removing the server's certificate from my client's trusted store yields the expected "certificate untrusted" error, re-adding it returns to the "use not allowed" error.

Looking at the error description, I could only learn that... some kind of usage was not permitted for the certificate? I have already double-checked that e.g. keyEncipherment, dataEncipherment are enabled in both certificates.

One thing I saw as a notable change is that the old certificate of the OPC UA server had it as Subject Type=CA, while the new one downgraded it to Subject Type=End Entity - but as I do not use the Server's certificate as a CA it should not have any impact here, I think.

The Error Log is as follows:

 Info   Application::initialize(...) 
 Info   Application::loadCertificate(...) 
 Info   Application::loadPrivateKey(...) 
 Info   Application::activateLicense(...) 
 Info   Application::start(...) 
 Info   FoundationStack::loadCertificate
 Info   Certificate loaded: 'C:/CERTIF~1/CERT_C~1.DER'
 Info   FoundationStack::loadPrivateKey
 Info   Application::getEndpointsFromServer(...) 
 Info   Client session: 05483FF0 constructor
 Info   Secure channel: 00842FD8(00000000) constructor
 Info   Secure channel: 00842FD8(00000000) registered
 Info   Secure channel: 00842FD8(00000000) add Session  (05483FF0) to opc.tcp://192.168.100.100:4842/ [0]
 Info   Secure channel: 00842FD8(0540B838) opening sync
 Debug  Connection info url: opc.tcp://192.168.100.100:4842/
 Debug  Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
 Debug  Connection info client certificate length: 1386
 Debug  Connection info client key length: 1191
 Debug  Connection info server certificate length: -1
 Debug  Connection info message security mode: 1
 Info   Endpoint idx        : 0
 Info   EndpointUrl         : 'opc.tcp://MO-CM-6:4842'
 Info   SecurityPolicyUri   : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
 Info   SecurityMode        : 2
 Info   TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
 Info   Certificate length  : 917
 Info   Server.ServerName          : 'Application 1'
 Info   Server.ServerUri           : 'urn:OPC-UA:Application 1'
 Info   Server.ProductUri          : 'urn:OPC-UA:Server'
 Info   Server.GatewayServerUri    : ' -- null char* string -- '
 Info   Server.DiscoveryProfileUri : ' -- null char* string -- '
 Info   UserIdentity token policy id : open62541-certificate-policy-sign#Basic256Sha256
 Info   UserIdentity token policy id : open62541-username-policy-sign#Basic256Sha256
 Info   Endpoint idx        : 1
 Info   EndpointUrl         : 'opc.tcp://MO-CM-6:4842'
 Info   SecurityPolicyUri   : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
 Info   SecurityMode        : 3
 Info   TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
 Info   Certificate length  : 917
 Info   Server.ServerName          : 'Application 1'
 Info   Server.ServerUri           : 'urn:OPC-UA:Application 1'
 Info   Server.ProductUri          : 'urn:OPC-UA:Server'
 Info   Server.GatewayServerUri    : ' -- null char* string -- '
 Info   Server.DiscoveryProfileUri : ' -- null char* string -- '
 Info   UserIdentity token policy id : open62541-certificate-policy-sign+encrypt#Basic256Sha256
 Info   UserIdentity token policy id : open62541-username-policy-sign+encrypt#Basic256Sha256
 Info   Secure channel: 00842FD8(0540B838) finally disconnecting sync
 Info   Secure channel: 00842FD8(0540B838) remove session  (05483FF0) to opc.tcp://192.168.100.100:4842/
 Info   Secure channel: 00842FD8(00000000) unregistered
 Info   Secure channel: 00842FD8(00000000) destructor
 Info   Client session: 05483FF0 destructor, secure channel: 00000000
 Debug  Removed SynchronizeTargetStates action
 Info   Update reconnect action : object state is Disconnected
 Info   Client session: 05522F48 constructor
 Info   Session::setSecurityConfiguration(...) 
 Info   Application::addSession(...) 
 Info   Session::isConnected(...) 
 Info   Session::connect(...) 
 Info   Connecting session (05522F48) reconnect: 0
 Info   FoundationStack::createCryptoProvider
 Info   Session  (05522F48) doConnectDisconnect State: INIT
 Info   Asynchronous connect started
 Debug  Setting channel usage to USAGE_SESSION
 Info   doConnectDisconnect (session: 05522F48) getting endpoints
 Debug  Setting channel usage to USAGE_GETENDPOINTS
 Info   Secure channel: 00842678(00000000) constructor
 Info   Secure channel: 00842678(00000000) registered
 Info   Secure channel: 00842678(00000000) add Session  (05522F48) to opc.tcp://192.168.100.100:4842/ [0]
 Info   Secure channel: 00842678(0540B838) opening async
 Debug  Connection info url: opc.tcp://192.168.100.100:4842/
 Debug  Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
 Debug  Connection info client certificate length: 1386
 Debug  Connection info client key length: 1191
 Debug  Connection info server certificate length: 917
 Debug  Connection info message security mode: 1
 Info   Secure channel: 00842678(0540B838) received stack callback (event 1)
 Info   Secure channel: 00842678(0540B838) connection changed to connected
 Info   Session : Connection status changed to: CONNECTED, status = Good
 Info   Session  (05522F48) doConnectDisconnect State: INSECURE_CHANNEL_OPENED
 Debug  : Number of scheduled work items: 1
 Info   Secure channel open response: Good
 Debug  : Number of scheduled work items: 1
 Info   Session  (05522F48) doConnectDisconnect State: GETENDPOINTS_DONE
 Info   GetEndpoints response: Good
 Debug  Setting channel usage to USAGE_GETENDPOINTS
 Info   Secure channel: 00842678(0540B838) closing async for session  (05522F48) to opc.tcp://192.168.100.100:4842/
 Info   Secure channel: 00842678(0540B838) finally disconnecting async
 Info   Secure channel: 00842678(0540B838) received stack callback (event 2)
 Info   Secure channel: 00842678(0540B838) connection changed to disconnected
 Info   Secure channel: 00842678(0540B838) remove session  (05522F48) to opc.tcp://192.168.100.100:4842/
 Info   Secure channel: 00842678(00000000) unregistered
 Info   Session : Connection status changed to: DISCONNECTED, status = Good
 Info   postDisconnectEvent Good
 Debug  : Number of scheduled work items: 1
 Info   Session  (05522F48) onDisconnectEvent Old state: Connecting
 Info   Secure channel: 00842678(00000000) destructor
 Info   Session  (05522F48) doConnectDisconnect State: INSECURE_CHANNEL_CLOSED
 Debug  Setting channel usage to USAGE_SESSION
 Info   Secure channel: 00842BF0(00000000) constructor
 Info   Secure channel: 00842BF0(00000000) registered
 Info   Secure channel: 00842BF0(00000000) add Session  (05522F48) to opc.tcp://192.168.100.100:4842/ [0]
 Info   Secure channel: 00842BF0(05408238) opening async
 Debug  Connection info url: opc.tcp://192.168.100.100:4842/
 Debug  Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
 Debug  Connection info client certificate length: 1386
 Debug  Connection info client key length: 1191
 Debug  Connection info server certificate length: 917
 Debug  Connection info message security mode: 3
 Info   Update reconnect action : object state is Connecting
 Info   Secure channel: 00842BF0(05408238) received stack callback (event 1)
 Info   Secure channel: 00842BF0(05408238) connection changed to connected
 Info   Session : Connection status changed to: CONNECTED, status = BadCertificateUseNotAllowed
 Debug  : Number of scheduled work items: 1
 Info   Session  (05522F48) doConnectDisconnect State: SECURE_CHANNEL_OPENED
 Info   Secure channel open response: BadCertificateUseNotAllowed
 Info   postDisconnectEvent BadCertificateUseNotAllowed
 Debug  : Number of scheduled work items: 1
 Info   (842) Session  (05522F48) onDisconnectEvent Old state: Disconnecting
 Info   Session  (05522F48) doConnectDisconnect State: SECURE_CHANNEL_CLOSED
 Info   Close secure channel response: BadCertificateUseNotAllowed
 Info   Secure channel: 00842BF0(05408238) remove session  (05522F48) to opc.tcp://192.168.100.100:4842/
 Info   Secure channel: 00842BF0(00000000) unregistered
 Info   Secure channel: 00842BF0(00000000) destructor
 Info   Update reconnect action : object state is Disconnected
 Debug  : Number of scheduled work items: 1
 Info   Update reconnect action : object state is Disconnected
 Info   Sending response to agent: BadCertificateUseNotAllowed
 Info   Connect session done, new state:Disconnected
 Info   Update reconnect action : object state is Disconnected
 Error  Error result from API call Session::connect(...) BadCertificateUseNotAllowed
 Info   Session::isConnected(...) 
 Info   Application::removeSession(...) 
 Debug  Removed SynchronizeTargetStates action
 Info   Session  (05522F48) doConnectDisconnect State: INIT
 Info   Asynchronous disconnect started
 Info   channel already closed
 Info   Update reconnect action : object state is Disconnected
 Debug  : Number of scheduled work items: 1
 Info   Sending response to agent: Good
 Debug  Removed SynchronizeTargetStates action
 Info   Update reconnect action : object state is Disconnected
 Info   Client session: 05522F48 destructor, secure channel: 00000000
 Debug  Removed SynchronizeTargetStates action
 Info   Update reconnect action : object state is Disconnected
 Info   Application::getEndpointsFromServer(...) 
 Info   Client session: 055231E8 constructor
 Info   Secure channel: 00842290(00000000) constructor
 Info   Secure channel: 00842290(00000000) registered
 Info   Secure channel: 00842290(00000000) add Session  (055231E8) to opc.tcp://192.168.100.100:4842/ [0]
 Info   Secure channel: 00842290(0540B4F8) opening sync
 Debug  Connection info url: opc.tcp://192.168.100.100:4842/
 Debug  Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
 Debug  Connection info client certificate length: 1386
 Debug  Connection info client key length: 1191
 Debug  Connection info server certificate length: -1
 Debug  Connection info message security mode: 1
 Info   Endpoint idx        : 0
 Info   EndpointUrl         : 'opc.tcp://MO-CM-6:4842'
 Info   SecurityPolicyUri   : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
 Info   SecurityMode        : 2
 Info   TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
 Info   Certificate length  : 917
 Info   Server.ServerName          : 'Application 1'
 Info   Server.ServerUri           : 'urn:OPC-UA:Application 1'
 Info   Server.ProductUri          : 'urn:OPC-UA:Server'
 Info   Server.GatewayServerUri    : ' -- null char* string -- '
 Info   Server.DiscoveryProfileUri : ' -- null char* string -- '
 Info   UserIdentity token policy id : open62541-certificate-policy-sign#Basic256Sha256
 Info   UserIdentity token policy id : open62541-username-policy-sign#Basic256Sha256
 Info   Endpoint idx        : 1
 Info   EndpointUrl         : 'opc.tcp://MO-CM-6:4842'
 Info   SecurityPolicyUri   : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
 Info   SecurityMode        : 3
 Info   TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
 Info   Certificate length  : 917
 Info   Server.ServerName          : 'Application 1'
 Info   Server.ServerUri           : 'urn:OPC-UA:Application 1'
 Info   Server.ProductUri          : 'urn:OPC-UA:Server'
 Info   Server.GatewayServerUri    : ' -- null char* string -- '
 Info   Server.DiscoveryProfileUri : ' -- null char* string -- '
 Info   UserIdentity token policy id : open62541-certificate-policy-sign+encrypt#Basic256Sha256
 Info   UserIdentity token policy id : open62541-username-policy-sign+encrypt#Basic256Sha256
 Info   Secure channel: 00842290(0540B4F8) finally disconnecting sync
 Info   Secure channel: 00842290(0540B4F8) remove session  (055231E8) to opc.tcp://192.168.100.100:4842/
 Info   Secure channel: 00842290(00000000) unregistered
 Info   Secure channel: 00842290(00000000) destructor
 Info   Client session: 055231E8 destructor, secure channel: 00000000
 Debug  Removed SynchronizeTargetStates action
 Info   Update reconnect action : object state is Disconnected
 Info   Client session: 055231E8 constructor
 Info   Session::setSecurityConfiguration(...) 
 Info   Application::addSession(...) 
 Info   Session::isConnected(...) 
 Info   Session::connect(...) 
 Info   Connecting session (055231E8) reconnect: 0
 Info   Session  (055231E8) doConnectDisconnect State: INIT
 Info   Asynchronous connect started
 Debug  Setting channel usage to USAGE_SESSION
 Info   doConnectDisconnect (session: 055231E8) getting endpoints
 Debug  Setting channel usage to USAGE_GETENDPOINTS
 Info   Secure channel: 00842420(00000000) constructor
 Info   Secure channel: 00842420(00000000) registered
 Info   Secure channel: 00842420(00000000) add Session  (055231E8) to opc.tcp://192.168.100.100:4842/ [0]
 Info   Secure channel: 00842420(0540B4B8) opening async
 Debug  Connection info url: opc.tcp://192.168.100.100:4842/
 Debug  Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
 Debug  Connection info client certificate length: 1386
 Debug  Connection info client key length: 1191
 Debug  Connection info server certificate length: 917
 Debug  Connection info message security mode: 1
 Info   Secure channel: 00842420(0540B4B8) received stack callback (event 1)
 Info   Secure channel: 00842420(0540B4B8) connection changed to connected
 Info   Session : Connection status changed to: CONNECTED, status = Good
 Debug  : Number of scheduled work items: 1
 Info   Session  (055231E8) doConnectDisconnect State: INSECURE_CHANNEL_OPENED
 Info   Secure channel open response: Good
 Debug  : Number of scheduled work items: 1
 Info   Session  (055231E8) doConnectDisconnect State: GETENDPOINTS_DONE
 Info   GetEndpoints response: Good
 Debug  Setting channel usage to USAGE_GETENDPOINTS
 Info   Secure channel: 00842420(0540B4B8) closing async for session  (055231E8) to opc.tcp://192.168.100.100:4842/
 Info   Secure channel: 00842420(0540B4B8) finally disconnecting async
 Info   Secure channel: 00842420(0540B4B8) received stack callback (event 2)
 Info   Secure channel: 00842420(0540B4B8) connection changed to disconnected
 Info   Secure channel: 00842420(0540B4B8) remove session  (055231E8) to opc.tcp://192.168.100.100:4842/
 Info   Secure channel: 00842420(00000000) unregistered
 Info   Session : Connection status changed to: DISCONNECTED, status = Good
 Info   postDisconnectEvent Good
 Debug  : Number of scheduled work items: 1
 Info   Session  (055231E8) onDisconnectEvent Old state: Connecting
 Info   Session  (055231E8) doConnectDisconnect State: INSECURE_CHANNEL_CLOSED
 Debug  Setting channel usage to USAGE_SESSION
 Info   Secure channel: 00842678(00000000) constructor
 Info   Secure channel: 00842420(00000000) destructor
 Info   Secure channel: 00842678(00000000) registered
 Info   Secure channel: 00842678(00000000) add Session  (055231E8) to opc.tcp://192.168.100.100:4842/ [0]
 Info   Secure channel: 00842678(05408538) opening async
 Debug  Connection info url: opc.tcp://192.168.100.100:4842/
 Debug  Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
 Debug  Connection info client certificate length: 1386
 Debug  Connection info client key length: 1191
 Debug  Connection info server certificate length: 917
 Debug  Connection info message security mode: 3
 Info   Update reconnect action : object state is Connecting
 Info   Secure channel: 00842678(05408538) received stack callback (event 1)
 Info   Secure channel: 00842678(05408538) connection changed to connected
 Info   Session : Connection status changed to: CONNECTED, status = BadCertificateUseNotAllowed
 Info   Session  (055231E8) doConnectDisconnect State: SECURE_CHANNEL_OPENED
 Info   Secure channel open response: BadCertificateUseNotAllowed
 Debug  : Number of scheduled work items: 1
 Info   postDisconnectEvent BadCertificateUseNotAllowed
 Debug  : Number of scheduled work items: 1
 Info   Session  (055231E8) onDisconnectEvent Old state: Disconnecting
 Info   Session  (055231E8) doConnectDisconnect State: SECURE_CHANNEL_CLOSED
 Info   Close secure channel response: BadCertificateUseNotAllowed
 Info   Secure channel: 00842678(05408538) remove session  (055231E8) to opc.tcp://192.168.100.100:4842/
 Info   Secure channel: 00842678(00000000) unregistered
 Info   Secure channel: 00842678(00000000) destructor
 Info   Update reconnect action : object state is Disconnected
 Debug  : Number of scheduled work items: 1
 Info   Update reconnect action : object state is Disconnected
 Info   Sending response to agent: BadCertificateUseNotAllowed
 Info   Connect session done, new state:Disconnected
 Info   Update reconnect action : object state is Disconnected
 Error  Error result from API call Session::connect(...) BadCertificateUseNotAllowed

This question is a longshot, I know, but maybe someone else has an idea where I might look next to resolve it.

Here's the openssl x509 -inform der for me certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = My Company, OU = IA, CN = MyApplication, DC = MY-PC
        Validity
            Not Before: Sep  9 13:10:30 2024 GMT
            Not After : Sep 11 13:10:30 2123 GMT
        Subject: O = My Company, OU = IA, CN = MyApplication, DC = MY-PC
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:ef:ce:70:8d:4c:10:2c:ff:73:72:26:75:6a:95:
                    a5:96:b5:3a:87:02:18:28:1b:38:4c:c9:0d:61:34:
                    22:5e:e9:78:f2:6c:d4:e2:af:ef:c1:96:20:35:35:
                    be:59:14:e2:00:ed:47:63:72:1e:a2:d8:8e:1e:88:
                    fb:64:87:8b:f2:b8:d3:c7:31:3d:53:1c:3a:79:07:
                    db:4c:35:a4:7e:73:69:68:b7:ef:6a:92:cd:da:6d:
                    ae:ec:76:1a:31:60:62:c6:e8:ec:db:ad:3a:ee:de:
                    fb:92:75:1c:41:09:fe:3f:8f:f4:e0:76:e9:ef:30:
                    8a:4a:8a:81:86:68:1c:9b:a2:ac:75:fd:ef:fb:6e:
                    a5:aa:82:3e:48:22:12:5f:7b:d7:04:a4:29:5b:63:
                    94:f6:a7:46:73:09:5f:86:a8:ab:af:1a:6f:2c:f7:
                    55:30:4a:2c:2b:03:a0:77:d9:50:f1:32:c8:68:37:
                    86:1f:41:b7:42:03:bf:09:ef:98:c6:84:d0:90:29:
                    2d:40:1e:4d:85:d6:ba:8c:e0:12:d9:18:d8:41:b9:
                    98:83:af:c2:a7:25:9a:21:e2:82:67:48:54:f7:95:
                    51:da:7f:4c:85:2a:cf:f3:a8:3e:c5:8e:30:a2:a8:
                    22:32:79:c2:83:05:82:5d:98:37:eb:bc:73:44:ad:
                    a6:4d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                E1:97:EC:D9:63:07:2F:4A:E6:37:CF:39:98:1F:8E:3C:08:47:BE:2F
            X509v3 Authority Key Identifier: 
                keyid:E1:97:EC:D9:63:07:2F:4A:E6:37:CF:39:98:1F:8E:3C:08:47:BE:2F
                DirName:/O=My Company/OU=IA/CN=MyApplication/DC=MY-PC
                serial:00

            X509v3 Subject Alternative Name: 
                URI:urn:MY-PC/MyApplication
            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
    Signature Algorithm: sha256WithRSAEncryption
         10:a4:37:0f:cd:c2:cf:94:20:f8:ba:80:24:92:9c:55:77:90:
         e2:6b:66:fc:2e:64:ab:6b:67:a6:0c:ab:0a:42:69:0e:67:42:
         22:20:f2:73:cc:83:56:fe:9f:65:8d:fb:7e:9a:7f:b9:01:b1:
         0a:d4:71:77:58:ed:81:60:f0:f4:45:55:75:12:7a:34:00:8c:
         1e:2d:95:8e:a0:7f:f7:b9:6d:0f:77:9e:be:67:6b:47:20:1e:
         cf:30:d8:6a:55:a5:4c:b2:5e:5e:65:81:ab:f7:22:d7:09:9f:
         3a:ce:4f:f7:b5:39:ef:5d:a5:99:5e:ba:67:08:76:5e:78:33:
         d7:37:56:57:87:60:8e:0e:78:f7:45:c1:ca:68:5a:d5:99:6e:
         2d:12:a1:d3:ec:e1:d6:35:2c:3b:bc:8e:08:b3:33:c4:6f:2a:
         7a:d7:e5:d3:0c:68:b0:6f:f0:91:5c:f9:f4:bc:fe:b6:4b:79:
         5d:23:0b:1d:48:57:1b:cb:8c:dd:33:f7:f0:af:df:07:1b:ed:
         9d:fd:0b:f5:27:56:28:e1:d2:9b:a2:22:68:9b:ce:45:34:cb:
         2d:58:f7:d7:32:d9:63:d9:d0:75:01:fb:b4:a1:3a:59:b8:e0:
         c8:6f:80:db:91:27:3a:ad:34:7b:3f:8d:5f:de:30:29:18:41:
         47:7e:0a:b8

Solution

  •         X509v3 Basic Constraints: 
               CA:TRUE
    

    This may be your issue.

    Have a look at https://reference.opcfoundation.org/Core/Part6/v105/docs/6.2.2 to get an idea of what's required of your application instance certificate.

    In particular:

    The cA flag shall be FALSE for any ApplicationInstance Certificate, however, TRUE shall be accepted to ensure backward interoperability when validating ApplicationInstance Certificates, if revocation checks are enabled. If revocation checks are disabled then a Certificate with the cA flag set to TRUE should not be accepted. It should be possible to disable backward interoperability in configuration.