Hi, we are having trouble with connecting to an Omron OPC server from Igntion.
We have tested the connection with UA Expert, and know that it is working, but when we try to connect with igntion OPC client we get this error message.
[remote=/10.0.0.234:4840] Received error message: ErrorMessage{error=StatusCode{name=Bad_CertificateUseNotAllowed, value=0x80180000, quality=bad}, reason=null}
In the omron sofware we can see in the logs that the authentication attempt is made, but the certificate is seen as invalid and is rejected.
I have tried to manually add the certificate to the omron PLC, and also tried to regenerate the certificate.
I suspect that the omron server is very picky about some of the fields in the certificate, and that maybe the ignition may not conform to that.
Anyone solved this before?
You may need to upgrade to 8.1.43 and then re-generate the client certificate after you’ve upgraded.
I am allready on 8.1.43, and have refreshed the Certificate
Suspecting the field "Type", which is set to "-" while all other certs that it accepts is set to "CA". Is there any way to manipulate this?
Can you upload your certificate so I can take a look at it?
I assumed that the Omron server was validating the certificate according to the latest OPC UA 1.05 requirements, which state that the BasicConstraints shall indicate CA=false, and your Ignition was out of date and creating with with CA=true, but it sounds like the opposite may be true.
Okay, yeah, this certificate looks good according to UA Part 6: Mappings - 6.2.2 Application Instance Certificate
There's nothing you can do to change how Ignition generates it. You could try installing an older version of Ignition in a VM or something and then copying out its client keystore file...
Otherwise you just need to turn security off and contact Omron for support, because this is something they need to fix. (or point out what's wrong)
OK, thank you.
Will try to remember to update this when we hear back from omron.
Just as a curiosity, i wonder if the Omron Certificate is up to spec?
ServerCertificate.der (1.2 KB)
It's not, because its cA flag is set to TRUE, but we would accept it anyway for backwards compatibility:
The cA flag shall be FALSE for any ApplicationInstance Certificate, however, TRUE shall be accepted to ensure backward interoperability when validating ApplicationInstance Certificates,
Prior to Ignition 8.1.43 this is what our generated certificates looked like as well.