0008636: A GDS must put its CA certificates in the Issuer store, or IOP issues may occur

ID	Project	Category	View Status	Date Submitted	Last Update

0008636	10000-012: Discovery	Spec	public	2023-01-20 17:05	2023-04-18 15:30

Reporter	Martin Regen	Assigned To	Randy Armstrong
Priority	normal	Severity	minor	Reproducibility	always
Status	assigned	Resolution	open
Product Version	1.05.03

Summary	0008636: A GDS must put its CA certificates in the Issuer store, or IOP issues may occur
Description	see discussion here: https://github.com/OPCFoundation/UA-.NETStandard/issues/2020 After updating the app cert with a signed cert of of the GDS, the GDS does not AutoAccept the connection, because of the BadCertificateChaininvalid error. The GDS did not know its own CA issuer certs. Fix: I) Solution in .NET stack is to set SendCertificateChain=true ii) in GDS copy CA certs to Issuer store to complete the chain comment Randy: The GDS should have a knowledge of all CAs its uses to issue Certificates. If it rejects a certificate it just issued then the GDS is broken (it only needs to be in the issuer store – the CA does not need to be trusted, just known). I agree this needs a mantis issue in Part 12. It can be a mandatory requirement since it results in really annoying IOP problems. Regards, Randy
Tags	No tags attached.

Commit Version
Fix Due Date

Date Modified	Username	Field	Change
2023-01-20 17:05	Martin Regen	New Issue
2023-01-20 17:06	Martin Regen	Description Updated
2023-01-20 17:09	Martin Regen	Description Updated
2023-01-20 17:10	Martin Regen	Description Updated
2023-04-18 15:28	Jim Luth	Assigned To	=> Randy Armstrong
2023-04-18 15:28	Jim Luth	Status	new => assigned