Search code examples
sslnode-opcua

How to trust a self-signed server certificate with the node-opcua client

I have a simple node-opcua client and it wants to connect to a server via Basic128Rsa15 policy.

I have created a self-signed certificate and the server does receive this cert and I can move it on the server to the trusted pki directory.

At my client - the node-opcua - I also see a new directory "pki/rejected" with the cert from the server.

My question is now: What do I have to do now so that the client will trust this self-signed cert from the server?

I have already tried to create a "trusted" directory and move it to there, but this does not help, I also have tried to add an option (which I have found via google): serverCertificate=crypto_utils.readCertificate("pki/trusted/04c9f401be19e5a2349460306579c692e777cea5.pem"); But that also didn't help. When I start the client it creates again the cert in the "rejected" folder.

My node-opcua options for the connection:

options: securityMode: 3 # None = 1, Sign = 2, SignAndEncrypt = 3 securityPolicy: "http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15" certificateFile: certificates/cert.pem privateKeyFile: certificates/key.pem

Solution

  • [EDITED]

    version 2.30 onward: node-opcua clients now perform full certificate validation coming from servers:

    • if a server certificate has been generated by a CA, the CA certificate must appear in the PKI of the client ( in the issuer folder) along side with the corresponding CRL.
    • by default the client certificate manager accepts valid unknown server certificate for backward compatibility with previous version. This can be reverted by setting the automaticallyAcceptUnknownCertificates to false.
    • other checks are performed to verify that the certificate of the server strictly complies to the requirements of OPCUA, such as subjectAltName.uniqueResourceIdentify must match server's applicationUri, keyUsage, key length etc ...
    • if server certificate is known and in rejected folder, client will reject connection with server.

    version 2.28 and below: node-opcua clients did not perform server certificate trust/reject checks yet, nor full certificate validation, just basic validate (date, signature ...)