Validation Options for Server Certificates

Use

When you choose the Validation Options pushbutton, a dialog box appears in which you can define the behavior of the OPC UA source system in specific exception situations during certificate validation.

When a secure connection is being established, the OPC UA server must identify itself to the OPC UA client using a valid X5093 V3 certificate. In this case, the OPC UA client is the OPC UA agent instance of the PCo system.

Features

Empty Certificates

The OPC UA specification stipulates that the certificate must have a valid structure or must be empty. The following options are offered to define how to handle empty certificates:

Allow Empty Certificates

This setting allows you to accept an empty certificate. With this exception, it is possible to do without certificate handling, and thus save the required storage space, for UA servers on devices with limited computing power.

Note

It is not possible to set up a secure connection with an empty certificate, so in this case you need to select the entry None in the Security Mode field for the endpoint.
Allow Empty Certificates with Warning

This setting allows you to accept an empty certificate. In addition, a warning is issued that is written to the log when the agent instance is started.
Reject Empty Certificates

You use this setting to define that empty certificates are not accepted.

Suppress Validation Errors

In this screen area, you can define that errors that occur for specific certificate validations are to be suppressed:

Validity Period

With this setting, you define that the server certificate can also be accepted even if it has already expired or is not yet valid. If the validity of the server certificate has expired, the certificate is still accepted. However, a corresponding warning is written to the log.
Host Name

With this setting, you define that server certificates that cannot be identified correctly can also be accepted. In this case, too, a warning is written to the log if necessary.

Note

As an alternative, for the endpoint that you have configured for the server, you can try to specify the server in the same way as it appears in the attributes of the server certificate.
Trust Check for Server Certificate

If the certificate sent from the server when the connection is being set up is a valid certificate but you have not defined a trust relationship (in this case, the server certificate is not stored in the store for trusted certificates), you can nevertheless allow a connection to be set up by selecting the Trust Check for Server Certificate checkbox.

Caution

With this setting, you can now also set up a connection with message encryption and signing enabled. However, since the server certificate is not trusted, this is still not considered to be secure communication.

This option is not provided in the OPC UA specification and should only be used for tests. Under certain conditions, it might be the case that this option is not effective and that the connection setup is rejected. This is the case, for example, if the server certificate is invalid or if the server endpoint for the session authentication does not allow the authentication mode Anonymous.

Displaying Suppressed Validation Errors

You can display a summary of validation errors of certificates in a dialog box, even if you have set Suppress Validation Errors. PCo displays the error messages for the affected certificates when you choose the Test Connection pushbutton of an OPC UA source system. The message contains a list of the errors that were suppressed, followed by the certificate name.