An OPCUA client can no longer establish a secure connection to the OPCUA server when a self-signed certificate is used. When using an application instance certificate that is signed by a Certifiate Authority, with a matching .crl file in the CRL folder, the secure communication works correctly.
An OPCUA client can no longer establish a secure connection to the OPCUA server when a self-signed certificate is used. When using an application instance certificate that is signed by a Certifiate Authority, with a matching .crl file in the CRL folder, the secure communication works correctly.
An issue has been addressed in the OPCUA process gateway where the OPCUA server expected a certificate revocation list also for self-signed certificates and always refused secure connections for OPCUA clients with a self signed certificate.
Now the OPCUA server does not require a certificate revocation list for self signed certificates.
For CA signed certififcates, the OPCUA server will check for a matching certificate revocation list in the CRL directory. If a certificate is revoked in the .crl file, the connection will not be accepted. Only one .crl file shoud exist for each CA.
If a .crl file does not exist for CA signed certificates, the OPCUA server will assume the certificate is trusted when the CA root certificate is trusted.
A workaround exists. The OPCUA process gateway from an an eariler zenon 7.10 SP0 build (5560, 6571, 6919 or 7192) can be used when installed in a separate directory.
Introduced with 7.10 SP0 build 7770 (Article ID 125774)