Client Authentication with CertificateIdentifier for StoreType Directory #2584

pw-sgr · 2024-04-11T06:48:34Z

pw-sgr
Apr 11, 2024

I'm trying to connect to a OPC UA server using the CertificateIdentifier and CertificateStoreType.Directory as StoreType.

When doing so I get the exception that it couldn't find the private key when signing the certificate with the rsa key.

When debugging the DirectoryCertificateStore class I can see that the created Entry has the paths to the .der certificate in the certs folder and the .pem private key in the private folder of the CertificateIdentifier.StorePath. But the property CertificateWithPrivateKey of the private Entry class in DirectoryCertificateStore is only set, in the initialization, to null and then only checked against null.

Both the certificate and the private key extracted from a .pfx file using openssl.

What am I doing wrong? Is the store type Directory even a valid client authentication method?

Version: 1.4.372.56

mregen · 2024-05-01T05:42:37Z

mregen
May 1, 2024
Collaborator

my recommendation is to follow the samples to load an ApplicationConfiguration, often times, depending on the target platform, it is not sufficient to load the private key. It also needs to be in the right keystore and accessible.
There is the CheckApplicationCertificate function which deals with these issues implicitly. Modifying the ApplicationCertificate directly often leads to these errors.

1 reply

pw-sgr May 6, 2024
Author

I do call CheckApplicationCertificate, but that exception happens in Session.Create(ApplicationConfiguration, ConfiguredEndpoint, bool, string, uint, IUserIdentity, IList<string>, CancellationToken) based on the certificate specified in the UserIdentity.

I haven't specified the UserIdentity part as I thought that was the only way to use the certificate for authentication.

I can't find a project in the samples where the authentication certificate is loaded from a folder, that's why I originally asked

mregen · 2024-05-07T14:25:39Z

mregen
May 7, 2024
Collaborator

@pw-sgr I see, for client user auth the certificate needs to be loaded and there is no sample yet.
Please look at #2615 and add comments if needed, we will be looking into adding a sample for the console client.

0 replies

pw-sgr · 2024-05-08T07:34:01Z

pw-sgr
May 8, 2024
Author

@mregen I've subscribed to issue and will be looking if I can add anything, tank you

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Client Authentication with CertificateIdentifier for StoreType Directory #2584

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Client Authentication with CertificateIdentifier for StoreType Directory #2584

Uh oh!

pw-sgr Apr 11, 2024

Replies: 3 comments · 1 reply

Uh oh!

mregen May 1, 2024 Collaborator

Uh oh!

pw-sgr May 6, 2024 Author

Uh oh!

mregen May 7, 2024 Collaborator

Uh oh!

pw-sgr May 8, 2024 Author

pw-sgr
Apr 11, 2024

Replies: 3 comments 1 reply

mregen
May 1, 2024
Collaborator

pw-sgr May 6, 2024
Author

mregen
May 7, 2024
Collaborator

pw-sgr
May 8, 2024
Author