Skip to content

X509Utils.CompareDistinguishedNameFields Failing a Valid SubjectName Comparison #3318

New issue
New issue
Closed
#3358
Closed
X509Utils.CompareDistinguishedNameFields Failing a Valid SubjectName Comparison#3318
#3358
Assignees
mrsuciu
Labels
bugA bug was identified and should be fixed.
Milestone
Maintenance Update
@GrahamBlanshard

Description

@GrahamBlanshard
GrahamBlanshard
opened on Nov 4, 2025

Type of issue

  • Bug
  • Enhancement
  • Compliance
  • Question
  • Help wanted

Current Behavior

If attempting to generate and use a self-signed certificate for OPCUA Client on Windows, the application fails to find and use the existing certificate when SubjectName contains a value for stateOrProvinceName using ST=value syntax.

Expected Behavior

Existing Self-Signed Certificate stored on the Certificate Store is found and used.

Steps To Reproduce

  1. Generate a self-signed certificate using the following:
var config = new ApplicationConfiguration()
{
    ApplicationName = this.ApplicationName,
    ApplicationUri = this.ApplicationUri,                
    ApplicationType = ApplicationType.Client,
    SecurityConfiguration = new SecurityConfiguration()
    {                        
        AutoAcceptUntrustedCertificates = true,
        ApplicationCertificate = new CertificateIdentifier() 
        { 
            StoreType = "X509Store",
            StorePath = "CurrentUser\\My",
            SubjectName = "CN=OPCUA Client, O=MyOrg, ST=stateOrProvinceName, C=CA",
        },
        AddAppCertToTrustedStore = true
    },
    ClientConfiguration = new ClientConfiguration { DefaultSessionTimeout = DefaultTimeout },                
};

var certBuilder = CertificateFactory.CreateCertificate(config.ApplicationUri, 
                                                       config.ApplicationName, 
                                                       config.SecurityConfiguration.ApplicationCertificate.SubjectName, 
                                                       new List<string> { Utils.GetHostName() });
var newCert = certBuilder.CreateForRSA();

config.SecurityConfiguration.ApplicationCertificate.Certificate = newCert;

using (var store = config.SecurityConfiguration.ApplicationCertificate.OpenStore())
{
    await store.Add(newCert);
}
  1. Attempt to "Find" the Cert using the Provided function calls from OPCFoundation:
CertificateIdentifier applicationCert = config.SecurityConfiguration.ApplicationCertificate;                      
var foundCert = await applicationCert.Find(config.ApplicationUri);
  1. The foundCert value is null, even when a valid certificate exists on the given store path using identical Subject fields.

Environment

- OS: Windows 10 22H2
- Environment: Visual Studio Professional 2022 (Version 17.13.6)
- Runtime: .NET 9.0
- Nuget Version: 1.5.376.244
- Component: Opc.Ua.X509Utils
- Server: N/A
- Client: Custom(?)

Anything else?

When using Debugger in Visual Studio to drill down through the CertificateIdentifier.Find() function to the comparisons for Subject Fields within X509Utils. The CompareDistinguishedName(X509Certificate2, List<string>) function does a straight string comparison on the given certificate fields and does not account for stateOrProvinceName potentially being ST= or S=.

It seems to stem from a Microsoft behavior as this is something that's been identified within OpenSSL previously (See comment here). I understand this issue is avoidable as the stateOrProvinceName is optional, but the documentation explicitly notes using ST= on the SubjectName value which causes this bug in Windows.

Metadata

Metadata

Assignees

Labels

bugA bug was identified and should be fixed.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions