Closed VictorRom closed 2 years ago
@mregen could you please take a look
see https://github.com/OPCFoundation/UA-.NETStandard/issues/1766
the CRL is generated as PEM and not as ASN.1, similar to the issue above. The UA stack expects a CRL in ASN.1 encoded format. Please try this additional conversion to create the CRL as required:
openssl crl -inform PEM -in myca.crl.pem -outform DER -out myca.crl
@VictorRom can you please confirm if the above suggestion worked for you or if you still need help.
@luiscantero @mregen Sorry for the delay. I will try this solution on Friday and post an update then.
Indeed the generated CRL was the problem. The additional conversion did the job as @mregen said. Thank you very much for taking the time to answer me.
This issue is for a:
Minimal steps to reproduce
Generate an openssl CA (key and certificate). Use the following commands to generate the key and the certificate :
openssl genrsa -des3 -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
openssl ca -gencrl -keyfile myCA.key -cert myCA.pem -out myCA.crl -config crl_openssl.cnf
The following command can be used to verify the CLR :
openssl crl -in myCA.crl -CAfile myCA.crt
Here is the content of the crl_openssl.cnf :
The PEM certificate has to be transformed to DER format using the following command :
openssl x509 -in myCA.pem -out myCA.der -outform DER
Afterwards place the certificate in the trust store as described below :
The command used to start the PLC is the following :
Any log messages given by the failure
Expected/desired behavior
The CRL should be loaded in the trust store.
OS and Version?
Linux :
Versions
Version : latest, 2.5.0, 2.4.0, 2.3.0
Mention any other details that might be useful
The first time this error occured was during a CRL generation test in JAVA. Since we were not able to understand why it was not possible to load our CRL, we generated everything using openssl and found out it may be a bug.
myCA.zip