Client Authentication question
9 views
Skip to first unread message
Rick
Sep 16, 2025, 4:32:10 PMSep 16
to open62541
Hi everyone,
I am trying to build an OPC Client application that can be configured to connect to various OPC Servers using different types of authentication, exactly like the UaExpert client does. The input configuration to my client application provides the server URL, possibly a username and password, and maybe a client certificate and private key. If only the URL is configured, it should make an anonymous connection.
I can successfully make anonymous and user/pass connections, but when I try to use the certificate and the key I generated using 'UA_CreateCertificate', I always get "BadSecurityChecksFailed" back from the 'UA_Client_connect' call. I have added my certificate to the Server trust list. I can perform the same steps with UaExpert (generate a client certificate, add it to the Server trust list) and I can connect just fine from there, so I think I am doing something wrong in my client code. Does anyone see what I am missing here?
I can successfully make anonymous and user/pass connections, but when I try to use the certificate and the key I generated using 'UA_CreateCertificate', I always get "BadSecurityChecksFailed" back from the 'UA_Client_connect' call. I have added my certificate to the Server trust list. I can perform the same steps with UaExpert (generate a client certificate, add it to the Server trust list) and I can connect just fine from there, so I think I am doing something wrong in my client code. Does anyone see what I am missing here?
FYI: I am using the amalgamated source from version 1.4.13 and I have mbedtls encryption enabled. I can generate client certificates from my program, and that works ok, so I believe I am building and using the library correctly.
UA_StatusCode Connect (const char* url, const char* username, const char* password, UA_ByteString cert, UA_ByteString key)
{
// Make a new client and get its configuration object:
UA_StatusCode retval = 0;
UA_Client* client = UA_Client_new();
UA_ClientConfig* config = UA_Client_getConfig (client);
UA_ClientConfig_setDefault (config);
// If a user/pass was specified, add it now:
if (username && password)
retval = UA_ClientConfig_setAuthenticationUsername (config, username, password);
if (retval != UA_STATUSCODE_GOOD) return retval;
// If a certificate was specified, add it now:
if ((cert.length > 0) && (key.length > 0))
retval = UA_ClientConfig_setDefaultEncryption (config, cert, key, NULL, 0, NULL, 0);
if (retval != UA_STATUSCODE_GOOD) return retval;
// Now that everything is set up, make the connection to the Server:
retval = UA_Client_connect (client, url);
return retval;
}
UA_StatusCode Connect (const char* url, const char* username, const char* password, UA_ByteString cert, UA_ByteString key)
{
// Make a new client and get its configuration object:
UA_StatusCode retval = 0;
UA_Client* client = UA_Client_new();
UA_ClientConfig* config = UA_Client_getConfig (client);
UA_ClientConfig_setDefault (config);
// If a user/pass was specified, add it now:
if (username && password)
retval = UA_ClientConfig_setAuthenticationUsername (config, username, password);
if (retval != UA_STATUSCODE_GOOD) return retval;
// If a certificate was specified, add it now:
if ((cert.length > 0) && (key.length > 0))
retval = UA_ClientConfig_setDefaultEncryption (config, cert, key, NULL, 0, NULL, 0);
if (retval != UA_STATUSCODE_GOOD) return retval;
// Now that everything is set up, make the connection to the Server:
retval = UA_Client_connect (client, url);
return retval;
}
Thanks in advance for any advice or suggestions!
Julius Pfrommer
Sep 17, 2025, 2:16:38 AMSep 17
to Rick, open62541
Rick,
Do you get any helpful log output from the server?
Maybe crank up the log level...
One thing to make sure is that the ApplicationURI needs to match between the certificate and the ApplicationDescription configured in the client.
Regards, Julius
--
You received this message because you are subscribed to the Google Groups "open62541" group.
To unsubscribe from this group and stop receiving emails from it, send an email to open62541+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/open62541/44a5ebcb-5b08-42e2-ac23-5b1eede4f18cn%40googlegroups.com.
Message has been deleted
Rick
Sep 19, 2025, 3:57:44 AM (12 days ago) Sep 19
to open62541
Julius,
You were correct, the ApplicationURI did not match the URI in the certificate. I added this line:
config->clientDescription.applicationUri = UA_String_fromChars ("...the correct URI...");
to my code above, and now it connects!
Thank you for your help.
Reply all
Reply to author
Forward
0 new messages