OPC UA Certificate User Token Policy

connor.lewellyn · July 9, 2025, 5:08pm

I am trying to connect to an Ignition OPC UA server with UA Agent (as well as a C# client I am writing). I want this to use certificate authentication, not username and password.

In UA Agent, when I discover the server, it defaults to username and password. When using username and password, it connects and I can view nodes. When attempting to use certificate authentication instead, I get the following error in Ignition:

at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$openSecureChannel$5(UascServerAsymmetricHandler.java:454)
at java.base/java.util.Optional.orElseThrow(Unknown Source)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.openSecureChannel(UascServerAsymmetricHandler.java:444)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.lambda$sendOpenSecureChannelResponse$3(UascServerAsymmetricHandler.java:355)
at org.eclipse.milo.opcua.stack.core.channel.SerializationQueue.lambda$encode$0(SerializationQueue.java:59)
at org.eclipse.milo.opcua.stack.core.util.TaskQueue$TaskWrapper.run(TaskQueue.java:273)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)

When using my .NET client to connect with a Ceritifcate identity, I get the same error as above. When attempting to connect with a Username identity, I get the following error:

io.netty.handler.codec.DecoderException: UaException: status=Bad_SecurityChecksFailed, message=An error occurred verifying security.
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:500)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)

Oddly enough, in the Security -> Server, the certificate shows up both in the Trusted Certificates tab and the Quarantined Certificates tab.

I am unsure if these are related, or if there's something I missed in the documentation, but any guidance would be appreciated in resolving this.

Kevin.Herron · July 9, 2025, 5:53pm

Ignition does not support Session authentication via certificate, neither as Client nor Server.

connor.lewellyn · July 9, 2025, 7:26pm

Understood.

So my UaExpert works as expected. Since I need to use UserName for session authentication, I'm still running into an issue with my .NET code (using Traeger's SDK). The application certificate is the same, and the username and password are the same, but I receive

Caused by: org.eclipse.milo.opcua.stack.core.UaException: status=Bad_SecurityChecksFailed, description=An error occurred verifying security.
at org.eclipse.milo.opcua.stack.server.security.DefaultServerCertificateValidator.validateCertificateChain(DefaultServerCertificateValidator.java:87)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.onOpenSecureChannel(UascServerAsymmetricHandler.java:198)
at org.eclipse.milo.opcua.stack.server.transport.uasc.UascServerAsymmetricHandler.decode(UascServerAsymmetricHandler.java:120)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)

Any directions to be pointed in? Misconfigured client?

Kevin.Herron · July 9, 2025, 7:40pm

It looks like the Ignition server doesn’t trust your client certificate for some reason.

Have you marked it trusted in the server security settings area under the Server tab?

If you can attach/upload a copy of your client certificate I can take a look at it to see if anything is wrong with the way it was generated.

connor.lewellyn · July 9, 2025, 7:46pm

Here's the certificate. It is marked as trusted in the Server tab.

DevCertificate.cer (1.4 KB)

Kevin.Herron · July 9, 2025, 9:15pm

This certificate has an issuer that needs to be added as a trusted certificate as well. Or whatever the root CA is, if not the direct issuer.

In addition to that, it's missing 2 of the required 4 Key Usage bits. It has digitalSignature and keyEncipherment, it also needs nonRepudiation and dataEncipherment. See UA Part 6: Mappings - 6.2.2 Application Instance Certificate.

It's also missing the application URI in the Subject Alternative Name extension.