Certificate Authentication

228 views
Skip to first unread message

Chris Rossi

unread,
Feb 22, 2022, 10:13:12 AM2/22/22
to open62541

I have a customer requirement to implement OPC UA authentication using certificates in my client code, but I have been unable to find a solution. I've searched extensively for an answer on how to accomplish this but have so far come up empty. All I've been able to find is a few tidbits of info and comments inside the library's code. The provided examples show how to encrypt the channel using certificates and also how to login using username/password, but not, unless I'm missing something, how to login using a certificate.

With UA Expert I'm able to use my certificate to successfully authenticate and can confirm that it's authenticating with an X509IdentityToken. However I can't seem to replicate that behavior in my client code. I've set securityMode, securityPolicyUri and applicationUri which does encrypt the channel, but doesn't authenticate as needed.

If I allow anonymous on the server side my client code authenticates with an AnonymousIdentityToken .

When I disable anonymous on the server I receive the error: ActivateSession failed with error code BadIdentityTokenInvalid.

When I attempt to use an UA_X509IdentityToken for the userIdentityToken (like I'm guessing that maybe I should from examining the library code) the error I receive is: ActivateSession failed with error code BadApplicationSignatureInvalid.

I've search the documentation, Issues, and this Google group, but none seem to fully answer this question. Others have ask this or similar questions but all w/o an adequate response. The closest I've seen is a response from Julius that mentions the need to do some manual setup but he doesn't go into detail.

Can someone please point me to a code snippet or some working code that demonstrates certificate authentication in a client? Thanks!

Julius Pfrommer

unread,
Feb 22, 2022, 5:35:35 PM2/22/22
to open62541
Hey there,

The certificate-based authentication has two parts.

You send your certificate in the X509IdentityToken as defined here:

You use that same certificate to sign you identity token to prove that you are in posession of the private key for that certificate.
See the userTokenSignature in the ActivateSessionRequest:

On the server side we "just" check if the signature is valid and then forward the certificate to the AccessControl plugin.
The AccessControl plugin (which can be extended by the user) checks the certificate itself.

The client side isn't that far.
You can set the X509IdentityToken, but it won't be used to generate the userTokenSignature.
Not because its complicated, only because we haven't gotten around to doing it.

I am cross-posting this answer also to the Github issue you (?) opened.

Regards, Julius

Chris Rossi

unread,
Feb 22, 2022, 5:55:25 PM2/22/22
to open62541
Julius,

When you say the client side isn't that far do you mean it's not fully implemented yet? Is that why I receive a BadApplicationSignatureInvalid error when I try to use an X509IdentityToken from the client? When will this be ready? If possible I really need to have certificate authentication working soon for a customer deliverable. It would be great to have a working example too so I could look at the implementation rather than trying to guess how this should be coded.

Thanks,
Chris

Julius Pfrommer

unread,
Feb 22, 2022, 5:59:34 PM2/22/22
to open62541
Yes, creating the signature for certificate authentication is not implemented in the client so far.
I guess that will be a matter of < 100 lines of code. As a lot of the crypto infrastructure is already in place.
We have the server-side. If you are in a hurry, you can take that as the starting point to work on it.
Otherwise the feature will appear when we get to it on our priority list or there is a contributor.
Reply all
Reply to author
Forward
0 new messages