我正在使用 Softing C++ UA Toolkit v5.57 创建 OPC UA 客户端以连接到 OPC UA 服务器。 由于连接到服务器需要 SSL 加密(安全模式 SignAndEncrypt,安全策略 Basic256Sha256),我使用 OpenSSL 创建了自己的自签名证书。
此设置运行良好,直到 OPC UA 服务器最近更新(至少)改变了其证书的生成方式。我已经将自签名证书重新添加到服务器受信任的证书存储中,并将服务器的新证书添加到客户端的受信任证书存储中。我可以使用第 3 方 OPC UA 客户端成功连接到服务器。
但是,无论我尝试什么,当尝试将我的应用程序(之前工作过)连接到服务器时,我都会收到
BadCertificateUseNotAllowed
错误 - 将跟踪调至最大,我可以看到我成功获取了端点,但是当更改时到USAGE_SESSION
我遇到了BadCertificateUseNotAllowed
。从客户端的受信任存储中删除服务器的证书会产生预期的“证书不受信任”错误,重新添加它会返回“不允许使用”错误。
查看错误描述,我只能了解到...证书不允许某种用途?我已经仔细检查过,例如
keyEncipherment, dataEncipherment
在两个证书中均已启用。
我看到的一个显着变化是 OPC UA 服务器的旧证书将其设置为
Subject Type=CA
,而新证书将其降级为 Subject Type=End Entity
- 但由于我不使用服务器的证书作为 CA,因此我认为这里不应该有任何影响。
错误日志如下:
Info Application::initialize(...)
Info Application::loadCertificate(...)
Info Application::loadPrivateKey(...)
Info Application::activateLicense(...)
Info Application::start(...)
Info FoundationStack::loadCertificate
Info Certificate loaded: 'C:/CERTIF~1/CERT_C~1.DER'
Info FoundationStack::loadPrivateKey
Info Application::getEndpointsFromServer(...)
Info Client session: 05483FF0 constructor
Info Secure channel: 00842FD8(00000000) constructor
Info Secure channel: 00842FD8(00000000) registered
Info Secure channel: 00842FD8(00000000) add Session (05483FF0) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842FD8(0540B838) opening sync
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: -1
Debug Connection info message security mode: 1
Info Endpoint idx : 0
Info EndpointUrl : 'opc.tcp://MO-CM-6:4842'
Info SecurityPolicyUri : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
Info SecurityMode : 2
Info TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
Info Certificate length : 917
Info Server.ServerName : 'Application 1'
Info Server.ServerUri : 'urn:OPC-UA:Application 1'
Info Server.ProductUri : 'urn:OPC-UA:Server'
Info Server.GatewayServerUri : ' -- null char* string -- '
Info Server.DiscoveryProfileUri : ' -- null char* string -- '
Info UserIdentity token policy id : open62541-certificate-policy-sign#Basic256Sha256
Info UserIdentity token policy id : open62541-username-policy-sign#Basic256Sha256
Info Endpoint idx : 1
Info EndpointUrl : 'opc.tcp://MO-CM-6:4842'
Info SecurityPolicyUri : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
Info SecurityMode : 3
Info TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
Info Certificate length : 917
Info Server.ServerName : 'Application 1'
Info Server.ServerUri : 'urn:OPC-UA:Application 1'
Info Server.ProductUri : 'urn:OPC-UA:Server'
Info Server.GatewayServerUri : ' -- null char* string -- '
Info Server.DiscoveryProfileUri : ' -- null char* string -- '
Info UserIdentity token policy id : open62541-certificate-policy-sign+encrypt#Basic256Sha256
Info UserIdentity token policy id : open62541-username-policy-sign+encrypt#Basic256Sha256
Info Secure channel: 00842FD8(0540B838) finally disconnecting sync
Info Secure channel: 00842FD8(0540B838) remove session (05483FF0) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842FD8(00000000) unregistered
Info Secure channel: 00842FD8(00000000) destructor
Info Client session: 05483FF0 destructor, secure channel: 00000000
Debug Removed SynchronizeTargetStates action
Info Update reconnect action : object state is Disconnected
Info Client session: 05522F48 constructor
Info Session::setSecurityConfiguration(...)
Info Application::addSession(...)
Info Session::isConnected(...)
Info Session::connect(...)
Info Connecting session (05522F48) reconnect: 0
Info FoundationStack::createCryptoProvider
Info Session (05522F48) doConnectDisconnect State: INIT
Info Asynchronous connect started
Debug Setting channel usage to USAGE_SESSION
Info doConnectDisconnect (session: 05522F48) getting endpoints
Debug Setting channel usage to USAGE_GETENDPOINTS
Info Secure channel: 00842678(00000000) constructor
Info Secure channel: 00842678(00000000) registered
Info Secure channel: 00842678(00000000) add Session (05522F48) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842678(0540B838) opening async
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: 917
Debug Connection info message security mode: 1
Info Secure channel: 00842678(0540B838) received stack callback (event 1)
Info Secure channel: 00842678(0540B838) connection changed to connected
Info Session : Connection status changed to: CONNECTED, status = Good
Info Session (05522F48) doConnectDisconnect State: INSECURE_CHANNEL_OPENED
Debug : Number of scheduled work items: 1
Info Secure channel open response: Good
Debug : Number of scheduled work items: 1
Info Session (05522F48) doConnectDisconnect State: GETENDPOINTS_DONE
Info GetEndpoints response: Good
Debug Setting channel usage to USAGE_GETENDPOINTS
Info Secure channel: 00842678(0540B838) closing async for session (05522F48) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842678(0540B838) finally disconnecting async
Info Secure channel: 00842678(0540B838) received stack callback (event 2)
Info Secure channel: 00842678(0540B838) connection changed to disconnected
Info Secure channel: 00842678(0540B838) remove session (05522F48) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842678(00000000) unregistered
Info Session : Connection status changed to: DISCONNECTED, status = Good
Info postDisconnectEvent Good
Debug : Number of scheduled work items: 1
Info Session (05522F48) onDisconnectEvent Old state: Connecting
Info Secure channel: 00842678(00000000) destructor
Info Session (05522F48) doConnectDisconnect State: INSECURE_CHANNEL_CLOSED
Debug Setting channel usage to USAGE_SESSION
Info Secure channel: 00842BF0(00000000) constructor
Info Secure channel: 00842BF0(00000000) registered
Info Secure channel: 00842BF0(00000000) add Session (05522F48) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842BF0(05408238) opening async
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: 917
Debug Connection info message security mode: 3
Info Update reconnect action : object state is Connecting
Info Secure channel: 00842BF0(05408238) received stack callback (event 1)
Info Secure channel: 00842BF0(05408238) connection changed to connected
Info Session : Connection status changed to: CONNECTED, status = BadCertificateUseNotAllowed
Debug : Number of scheduled work items: 1
Info Session (05522F48) doConnectDisconnect State: SECURE_CHANNEL_OPENED
Info Secure channel open response: BadCertificateUseNotAllowed
Info postDisconnectEvent BadCertificateUseNotAllowed
Debug : Number of scheduled work items: 1
Info (842) Session (05522F48) onDisconnectEvent Old state: Disconnecting
Info Session (05522F48) doConnectDisconnect State: SECURE_CHANNEL_CLOSED
Info Close secure channel response: BadCertificateUseNotAllowed
Info Secure channel: 00842BF0(05408238) remove session (05522F48) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842BF0(00000000) unregistered
Info Secure channel: 00842BF0(00000000) destructor
Info Update reconnect action : object state is Disconnected
Debug : Number of scheduled work items: 1
Info Update reconnect action : object state is Disconnected
Info Sending response to agent: BadCertificateUseNotAllowed
Info Connect session done, new state:Disconnected
Info Update reconnect action : object state is Disconnected
Error Error result from API call Session::connect(...) BadCertificateUseNotAllowed
Info Session::isConnected(...)
Info Application::removeSession(...)
Debug Removed SynchronizeTargetStates action
Info Session (05522F48) doConnectDisconnect State: INIT
Info Asynchronous disconnect started
Info channel already closed
Info Update reconnect action : object state is Disconnected
Debug : Number of scheduled work items: 1
Info Sending response to agent: Good
Debug Removed SynchronizeTargetStates action
Info Update reconnect action : object state is Disconnected
Info Client session: 05522F48 destructor, secure channel: 00000000
Debug Removed SynchronizeTargetStates action
Info Update reconnect action : object state is Disconnected
Info Application::getEndpointsFromServer(...)
Info Client session: 055231E8 constructor
Info Secure channel: 00842290(00000000) constructor
Info Secure channel: 00842290(00000000) registered
Info Secure channel: 00842290(00000000) add Session (055231E8) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842290(0540B4F8) opening sync
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: -1
Debug Connection info message security mode: 1
Info Endpoint idx : 0
Info EndpointUrl : 'opc.tcp://MO-CM-6:4842'
Info SecurityPolicyUri : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
Info SecurityMode : 2
Info TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
Info Certificate length : 917
Info Server.ServerName : 'Application 1'
Info Server.ServerUri : 'urn:OPC-UA:Application 1'
Info Server.ProductUri : 'urn:OPC-UA:Server'
Info Server.GatewayServerUri : ' -- null char* string -- '
Info Server.DiscoveryProfileUri : ' -- null char* string -- '
Info UserIdentity token policy id : open62541-certificate-policy-sign#Basic256Sha256
Info UserIdentity token policy id : open62541-username-policy-sign#Basic256Sha256
Info Endpoint idx : 1
Info EndpointUrl : 'opc.tcp://MO-CM-6:4842'
Info SecurityPolicyUri : 'http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256'
Info SecurityMode : 3
Info TransportProfileUri : 'http://opcfoundation.org/UA-Profile/Transport/uatcp-uasc-uabinary'
Info Certificate length : 917
Info Server.ServerName : 'Application 1'
Info Server.ServerUri : 'urn:OPC-UA:Application 1'
Info Server.ProductUri : 'urn:OPC-UA:Server'
Info Server.GatewayServerUri : ' -- null char* string -- '
Info Server.DiscoveryProfileUri : ' -- null char* string -- '
Info UserIdentity token policy id : open62541-certificate-policy-sign+encrypt#Basic256Sha256
Info UserIdentity token policy id : open62541-username-policy-sign+encrypt#Basic256Sha256
Info Secure channel: 00842290(0540B4F8) finally disconnecting sync
Info Secure channel: 00842290(0540B4F8) remove session (055231E8) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842290(00000000) unregistered
Info Secure channel: 00842290(00000000) destructor
Info Client session: 055231E8 destructor, secure channel: 00000000
Debug Removed SynchronizeTargetStates action
Info Update reconnect action : object state is Disconnected
Info Client session: 055231E8 constructor
Info Session::setSecurityConfiguration(...)
Info Application::addSession(...)
Info Session::isConnected(...)
Info Session::connect(...)
Info Connecting session (055231E8) reconnect: 0
Info Session (055231E8) doConnectDisconnect State: INIT
Info Asynchronous connect started
Debug Setting channel usage to USAGE_SESSION
Info doConnectDisconnect (session: 055231E8) getting endpoints
Debug Setting channel usage to USAGE_GETENDPOINTS
Info Secure channel: 00842420(00000000) constructor
Info Secure channel: 00842420(00000000) registered
Info Secure channel: 00842420(00000000) add Session (055231E8) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842420(0540B4B8) opening async
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#None
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: 917
Debug Connection info message security mode: 1
Info Secure channel: 00842420(0540B4B8) received stack callback (event 1)
Info Secure channel: 00842420(0540B4B8) connection changed to connected
Info Session : Connection status changed to: CONNECTED, status = Good
Debug : Number of scheduled work items: 1
Info Session (055231E8) doConnectDisconnect State: INSECURE_CHANNEL_OPENED
Info Secure channel open response: Good
Debug : Number of scheduled work items: 1
Info Session (055231E8) doConnectDisconnect State: GETENDPOINTS_DONE
Info GetEndpoints response: Good
Debug Setting channel usage to USAGE_GETENDPOINTS
Info Secure channel: 00842420(0540B4B8) closing async for session (055231E8) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842420(0540B4B8) finally disconnecting async
Info Secure channel: 00842420(0540B4B8) received stack callback (event 2)
Info Secure channel: 00842420(0540B4B8) connection changed to disconnected
Info Secure channel: 00842420(0540B4B8) remove session (055231E8) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842420(00000000) unregistered
Info Session : Connection status changed to: DISCONNECTED, status = Good
Info postDisconnectEvent Good
Debug : Number of scheduled work items: 1
Info Session (055231E8) onDisconnectEvent Old state: Connecting
Info Session (055231E8) doConnectDisconnect State: INSECURE_CHANNEL_CLOSED
Debug Setting channel usage to USAGE_SESSION
Info Secure channel: 00842678(00000000) constructor
Info Secure channel: 00842420(00000000) destructor
Info Secure channel: 00842678(00000000) registered
Info Secure channel: 00842678(00000000) add Session (055231E8) to opc.tcp://192.168.100.100:4842/ [0]
Info Secure channel: 00842678(05408538) opening async
Debug Connection info url: opc.tcp://192.168.100.100:4842/
Debug Connection info securityPolicy: http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256
Debug Connection info client certificate length: 1386
Debug Connection info client key length: 1191
Debug Connection info server certificate length: 917
Debug Connection info message security mode: 3
Info Update reconnect action : object state is Connecting
Info Secure channel: 00842678(05408538) received stack callback (event 1)
Info Secure channel: 00842678(05408538) connection changed to connected
Info Session : Connection status changed to: CONNECTED, status = BadCertificateUseNotAllowed
Info Session (055231E8) doConnectDisconnect State: SECURE_CHANNEL_OPENED
Info Secure channel open response: BadCertificateUseNotAllowed
Debug : Number of scheduled work items: 1
Info postDisconnectEvent BadCertificateUseNotAllowed
Debug : Number of scheduled work items: 1
Info Session (055231E8) onDisconnectEvent Old state: Disconnecting
Info Session (055231E8) doConnectDisconnect State: SECURE_CHANNEL_CLOSED
Info Close secure channel response: BadCertificateUseNotAllowed
Info Secure channel: 00842678(05408538) remove session (055231E8) to opc.tcp://192.168.100.100:4842/
Info Secure channel: 00842678(00000000) unregistered
Info Secure channel: 00842678(00000000) destructor
Info Update reconnect action : object state is Disconnected
Debug : Number of scheduled work items: 1
Info Update reconnect action : object state is Disconnected
Info Sending response to agent: BadCertificateUseNotAllowed
Info Connect session done, new state:Disconnected
Info Update reconnect action : object state is Disconnected
Error Error result from API call Session::connect(...) BadCertificateUseNotAllowed
我知道这个问题不太可能实现,但也许其他人知道我下一步可能会在哪里解决它。
这是我的
openssl x509 -inform der
证书:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = My Company, OU = IA, CN = MyApplication, DC = MY-PC
Validity
Not Before: Sep 9 13:10:30 2024 GMT
Not After : Sep 11 13:10:30 2123 GMT
Subject: O = My Company, OU = IA, CN = MyApplication, DC = MY-PC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ef:ce:70:8d:4c:10:2c:ff:73:72:26:75:6a:95:
a5:96:b5:3a:87:02:18:28:1b:38:4c:c9:0d:61:34:
22:5e:e9:78:f2:6c:d4:e2:af:ef:c1:96:20:35:35:
be:59:14:e2:00:ed:47:63:72:1e:a2:d8:8e:1e:88:
fb:64:87:8b:f2:b8:d3:c7:31:3d:53:1c:3a:79:07:
db:4c:35:a4:7e:73:69:68:b7:ef:6a:92:cd:da:6d:
ae:ec:76:1a:31:60:62:c6:e8:ec:db:ad:3a:ee:de:
fb:92:75:1c:41:09:fe:3f:8f:f4:e0:76:e9:ef:30:
8a:4a:8a:81:86:68:1c:9b:a2:ac:75:fd:ef:fb:6e:
a5:aa:82:3e:48:22:12:5f:7b:d7:04:a4:29:5b:63:
94:f6:a7:46:73:09:5f:86:a8:ab:af:1a:6f:2c:f7:
55:30:4a:2c:2b:03:a0:77:d9:50:f1:32:c8:68:37:
86:1f:41:b7:42:03:bf:09:ef:98:c6:84:d0:90:29:
2d:40:1e:4d:85:d6:ba:8c:e0:12:d9:18:d8:41:b9:
98:83:af:c2:a7:25:9a:21:e2:82:67:48:54:f7:95:
51:da:7f:4c:85:2a:cf:f3:a8:3e:c5:8e:30:a2:a8:
22:32:79:c2:83:05:82:5d:98:37:eb:bc:73:44:ad:
a6:4d
Exponent: 65537 (0x10001)
X509v3 extensions:
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E1:97:EC:D9:63:07:2F:4A:E6:37:CF:39:98:1F:8E:3C:08:47:BE:2F
X509v3 Authority Key Identifier:
keyid:E1:97:EC:D9:63:07:2F:4A:E6:37:CF:39:98:1F:8E:3C:08:47:BE:2F
DirName:/O=My Company/OU=IA/CN=MyApplication/DC=MY-PC
serial:00
X509v3 Subject Alternative Name:
URI:urn:MY-PC/MyApplication
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
10:a4:37:0f:cd:c2:cf:94:20:f8:ba:80:24:92:9c:55:77:90:
e2:6b:66:fc:2e:64:ab:6b:67:a6:0c:ab:0a:42:69:0e:67:42:
22:20:f2:73:cc:83:56:fe:9f:65:8d:fb:7e:9a:7f:b9:01:b1:
0a:d4:71:77:58:ed:81:60:f0:f4:45:55:75:12:7a:34:00:8c:
1e:2d:95:8e:a0:7f:f7:b9:6d:0f:77:9e:be:67:6b:47:20:1e:
cf:30:d8:6a:55:a5:4c:b2:5e:5e:65:81:ab:f7:22:d7:09:9f:
3a:ce:4f:f7:b5:39:ef:5d:a5:99:5e:ba:67:08:76:5e:78:33:
d7:37:56:57:87:60:8e:0e:78:f7:45:c1:ca:68:5a:d5:99:6e:
2d:12:a1:d3:ec:e1:d6:35:2c:3b:bc:8e:08:b3:33:c4:6f:2a:
7a:d7:e5:d3:0c:68:b0:6f:f0:91:5c:f9:f4:bc:fe:b6:4b:79:
5d:23:0b:1d:48:57:1b:cb:8c:dd:33:f7:f0:af:df:07:1b:ed:
9d:fd:0b:f5:27:56:28:e1:d2:9b:a2:22:68:9b:ce:45:34:cb:
2d:58:f7:d7:32:d9:63:d9:d0:75:01:fb:b4:a1:3a:59:b8:e0:
c8:6f:80:db:91:27:3a:ad:34:7b:3f:8d:5f:de:30:29:18:41:
47:7e:0a:b8
X509v3 Basic Constraints: CA:TRUE
这可能是你的问题。
查看 https://reference.opcfoundation.org/Core/Part6/v105/docs/6.2.2 了解应用程序实例证书的要求。