When using a CA signed certificate for a OPC UA client, it is possible to place the CA root and any intermediate CA signing certificates, in the certificate trust list folder for the OPC UA process gateway.
When using CA signed certificates, a certificate revocation list is required in the certificate revocation list directory. Unlike a self signed certificate, a CA signed certificate can be revoked by the CA.
The OPC UA Server process gateway in this case however does not correctly check the crl directory of the open SSL certificate store for the certificate revocation lists.
When using a CA signed certificate for a OPC UA client, it is possible to place the CA root and any intermediate CA signing certificates, in the certificate trust list folder for the OPC UA process gateway.
When using CA signed certificates, a certificate revocation list is required in the certificate revocation list directory. Unlike a self signed certificate, a CA signed certificate can be revoked by the CA.
The OPC UA Server process gateway in this case however does not correctly check the crl directory of the open SSL certificate store for the certificate revocation lists.
An issue has been addressed in the OPC UA Server process gateway where the certificate revocation lists in the open SSL directory certificate store were not considered correctly.
Certificate Revocation Lists must be stored in .pem format (base64 encoded der format), and must be located in the directory "crl", that is located parallel to the directory "certs" and the directory "private".
This change resulted in a side effect where OPCUA clients using a self-signed certificate also were required to have a certificate revocation list, which is not possible and does not make sense. This issue has been addressed in 7.11 build 11206. (Article ID 192527)