Certificate Path Validation Failed

I am having an issue with OPC Server connection. I am communicating to a Prosoft PLX32 OPC, MODBUS, ETH IP module. I had this all set up and working with Version 7.8 and decided to upgrade to 8.0 for further application development. I struggled with certificates with the original 7.8 set up, so i believe this will be something similar.

I will take any guidance or suggestions!!


In the Ignition gateway config section, go to OPC UA > Security. On the Client tab you should see a Quarantined Certificates section with an entry for the certificate of the server you’re connecting to. You’ll need to mark that as trusted.

There may be a similar procedure you need to go through with the configuration software for the server you’re connecting to.

Thanks for the speedy response yesterday!! I am just now looking at this again. On the client security page I see a trusted certificate and a quarantined certificate with the same fingerprint. If i trust the quarantined one it comes back within a minute. The best i can tell I have completed this with the OPC server as well.

On the logging page in the gateway you can set log levels for the various loggers.

Search for “CertificateValidationUtil” on log level config dialog and turn it to DEBUG level.

It’s possible that even though you’ve added the server certificate to the trust list it’s invalid for some other reason.

I guess I should clarify. I am in ignition 8. I have this all working currently on 7.6

In the logger in 8, with set to debug, i get certificate path validation failed: unable to find valid cert path to requested target.

Can you try turning the logger for “DefaultCertificateValidator” onto DEBUG as well?

Also, if you look under wherever Ignition is installed, then data/opcua/client/security/pki/trusted/certs is the server’s certificate in there?

Also if you’re not on version 8.0.2 it might be worth upgrading just in case.

Also, if you can send the server certificate to me I can take a look at it real quick and see if there’s anything weird.

I sent you the cert in an email

Did you send it to kevin at inductiveautomation.com? I don’t see anything.

I replied to your email from yesterday

‘Kevin Herron via Inductive Automation Forum’ no-reply@inductiveautomation.com

ooops. Ill send it to you!

Okay, this certificate is not correctly indicating that it’s a self-signed certificate (the Certificate Authority Basic Constraint is not set).

This worked in 7.6 7.8 because there was no validation or trust chain verification happening back then.

If you can’t get that server to generate a certificate that correctly indicates it’s self-signed (or is actually signed by another certificate) then you’ll probably need to connect without security as the workaround.

Ah, I took another look at this certificate, and it is signed by another certificate, and is not self-signed.

The issuing certificate is the “ProSoft OPC UA Server Configuration Manager - Certificate Authority”. If you can place that certificate into the trusted certs dir I think you’ll be able to connect.

This worked!! I was able to export the certificate and place it in the Ignition Trusted certs dir, as instructed. We are now communicating with Ignition 8.0 to our microprocessor with the Prosoft module.

Thanks for your time!


Glad you got this working.

I made a change so that the entire certificate chain gets added to the rejected certificate list, which should make it much more obvious what’s happening in situations like this.

Running into the same issue here… Created a self-signed X509 certificate using openssl tool and Ignition is reporting a validation issue.