Bad certificate OPC UA Server

I’m running Ignition 7.9.13 and I’m trying to create an OPC UA connection with Weintek cMT-SRV.
After adding it, OPC Connection faulted.
Certificate application URI invalid: StatusCode{name=Bad_CertificateUriInvalid, value=0x80170000, quality=bad}
What can I do?

This usually means 1 of 2 things:

  1. the certificate of the server you’re connecting to has an invalid character (usually a space) in its application URI, making it invalid and causing the comparison to the URI in the ApplicationDescription to fail.
  2. the application URI in the certificate is actually different than the one returned in the ApplicationDescription in the EndpointDescription of the endpoint you’ve chosen when connecting.

Usually it’s #1. I’m not familiar with this server, so you’ll have to get in touch with their support if you can’t figure out how to re-generate a certificate that has a valid or matching application URI in it. If you can get a copy of the certificate and upload it here we can check to see if it’s #1.

In the meantime as a workaround you should be able to connect without security if the server allows it.

It’s already configured without security.
With UA Expert I trusted manually the certificate and works fine.


Sorry this screenshot doesn’t help.

Can you get a Wireshark recording of Ignition connecting to this server?

edit: and actually, can you get the rest of the logs? And navigate to the Status section of the gateway and find this OPC connection and check the fault reason and stack trace? In 7.9 this application URI message should only be a warning and not what is preventing you from connecting.

Maybe this can help

Hello guys,

I have a similar problem but with Factory Talk HMI.

we keep getting this BadCertificateUriInvalid serviceresult based on kepserverEX OPC Diagnostics tool.

How do we edit the Application Uri and how do we know which one we should use for them to match?

It looks/sounds like you are trying to connect Kepware to Factory Talk, is that right? Ignition not involved?

Yes that’s correct.

What version of Kepware is it?

Older versions generated URIs containing characters that aren’t allowed in a URI without being escaped. If you’re on a new enough version to fix it then all you need to do is delete/regenerate the certificate in Kepware and you’ll get a new one with a hopefully valid URI.

FactoryTalk has had this same problem, IIRC. I think it had to do with the Windows computer name.

Yes I think you’re right, that rings a bell for me…

I’m assuming it’s a Kepware problem here based on the BadCertificateUriInvalid being returned in a response according to the screenshot/info.

But maybe I have the directions reversed here - @Daniel_Tablazon which software is the client and which is the server?

Hi Kevin,

The version for KEPserverEX is 6.11.718.0 specifically. FactoryTalk SE (version 11) is the client, and KEPServerEX 6 is the server.

Generating a new certificate didn’t seem to solve this issue. I tried connecting to the server with various 3rd party OPC Ua clients and they all worked just fine.

So this issue was indeed specific to the Factory Talk client certificate.

Yes, I had it backwards. The problem is the Factory Talk client certificate then.

I don’t know anything about FT or how you’d fix that. I’m somewhat allergic to Rockwell software the way @pturmel is to Windows :stuck_out_tongue:

1 Like