Hi K.!

I was able to reproduce this issue on a fresh installation of Windows Server 2019 (no additional roles/features). So, there is no further need for the actual VM image, I can now work on it here.

The issue appears to be that the Brainpool ECC curves are only supported in .NET Framework 4.8+. The default .NET Framework in Windows Server 2019 is 4.7.2.
Installing and using .NET Framework 4.8 resolves the issue (4.8.1 cannot be installed on Windows Server 2019).

I will resolve this issue (by not attempting Brainpool when not supported); most likely in the upcoming version (2025.2), because there is a resolution and multiple workarounds.

Best regards
 

Hey Z,

Thank you for the quick response!  I have asked the user about the VM image.  I will report back when I hear on that.

The VM is running Microsoft Windows Server 2019 Datacenter - Version 10.0.17763 Build 17763

Here is an image with more info:

 

Hi K.,
thanks for the exception details.

And yes, if you do not need ECC support (you probably don't), it is possible to disable it (the problem seems to be with the Brainpool curves). See  opclabs.doc-that.com/files/onlinedocs/OPCLabs-OpcStudio/Late...%20Instance%20Certificate.html , under "Instance Certificates Auto-Generation": Set 

EasyUAClient.SharedParameters.EngineParameters.AllowEccSecurityPolicies = false;

Let me know if that resolves the error.

Even if it does help, however, I am *very* interested in getting to the bottom of this. It is not how I want the component to behave. What version of Windows / Windows Server is the machine that has the problem? And, if I fail to reproduce it myself, would be possible to provide me with the VM image?

Regards

I wanted to add some additional questions/context:

is there a way to configure the application so that it doesn’t try to configure these two certificates?
 
FIO-WB01 (has IIS installed) – runs without issues (This is the screenshot that contains highlights)=14pxFIO-AP01 (no IIS) – fails to runs with this error 'ApplicationInstance.CheckApplicationInstanceCertificates'. The parameter is incorrect at Opc.Ua.Security.Certificates.CertificateBuilder.CreateForECDsa()



Thank you for your continued support! 

 

Hello!

The current version is 5.82.175.1.

Here is the full exception:

System.AggregateException: 2 error(s) occurred, the first one being: UA SDK error (System.Security.Cryptography.CryptographicException) in 'ApplicationInstance.CheckApplicationInstanceCertificates'. The parameter is incorrect. + The error occurred while creating or checking the application instance certificate for application type: Client. Check event log entries for errors and warnings. + Connection attempt #1; last connected at 1/1/0001 12:00:00 AM (local); unconnected for 00:00:00.0470000. + The client method called (or event/callback invoked) was 'WriteMultiple[1]'. ---> OpcLabs.EasyOpc.UA.Engine.UAEngineException: UA SDK error (System.Security.Cryptography.CryptographicException) in 'ApplicationInstance.CheckApplicationInstanceCertificates'. The parameter is incorrect. + The error occurred while creating or checking the application instance certificate for application type: Client. Check event log entries for errors and warnings. ---> System.Security.Cryptography.CryptographicException: The parameter is incorrect. at System.Security.Cryptography.NCryptNative.ImportKey(SafeNCryptProviderHandle provider, Byte[] keyBlob, String format) at System.Security.Cryptography.CngKey.Import(Byte[] keyBlob, String curveName, CngKeyBlobFormat format, CngProvider provider) at System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions.BCryptHandleToNCryptHandle(SafeBCryptKeyHandle bcryptKeyHandle) at System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions.GetECDsaPublicKey(X509Certificate2 certificate) at System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions.CopyWithPrivateKey(X509Certificate2 certificate, ECDsa privateKey) at Opc.Ua.Security.Certificates.CertificateBuilder.CreateForECDsa() at Opc.Ua.Configuration.ApplicationInstance.d__52.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) at Opc.Ua.Configuration.ApplicationInstance.d__47.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Opc.Ua.Configuration.ApplicationInstance.d__46.MoveNext() --- End of inner exception stack trace --- --- End of inner exception stack trace --- ---> (Inner Exception #0) OpcLabs.EasyOpc.UA.Engine.UAEngineException: UA SDK error (System.Security.Cryptography.CryptographicException) in 'ApplicationInstance.CheckApplicationInstanceCertificates'. The parameter is incorrect. + The error occurred while creating or checking the application instance certificate for application type: Client. Check event log entries for errors and warnings. ---> System.Security.Cryptography.CryptographicException: The parameter is incorrect. at System.Security.Cryptography.NCryptNative.ImportKey(SafeNCryptProviderHandle provider, Byte[] keyBlob, String format) at System.Security.Cryptography.CngKey.Import(Byte[] keyBlob, String curveName, CngKeyBlobFormat format, CngProvider provider) at System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions.BCryptHandleToNCryptHandle(SafeBCryptKeyHandle bcryptKeyHandle) at System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions.GetECDsaPublicKey(X509Certificate2 certificate) at System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions.CopyWithPrivateKey(X509Certificate2 certificate, ECDsa privateKey) at Opc.Ua.Security.Certificates.CertificateBuilder.CreateForECDsa() at Opc.Ua.Configuration.ApplicationInstance.d__52.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) at Opc.Ua.Configuration.ApplicationInstance.d__47.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Opc.Ua.Configuration.ApplicationInstance.d__46.MoveNext() --- End of inner exception stack trace ---<--- ---> (Inner Exception #1) OpcLabs.EasyOpc.UA.Engine.UAEngineException: UA SDK error (System.Security.Cryptography.CryptographicException) in 'ApplicationInstance.CheckApplicationInstanceCertificates'. The parameter is incorrect. + The error occurred while creating or checking the application instance certificate for application type: Client. Check event log entries for errors and warnings. ---> System.Security.Cryptography.CryptographicException: The parameter is incorrect. at System.Security.Cryptography.NCryptNative.ImportKey(SafeNCryptProviderHandle provider, Byte[] keyBlob, String format) at System.Security.Cryptography.CngKey.Import(Byte[] keyBlob, String curveName, CngKeyBlobFormat format, CngProvider provider) at System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions.BCryptHandleToNCryptHandle(SafeBCryptKeyHandle bcryptKeyHandle) at System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions.GetECDsaPublicKey(X509Certificate2 certificate) at System.Security.Cryptography.X509Certificates.ECDsaCertificateExtensions.CopyWithPrivateKey(X509Certificate2 certificate, ECDsa privateKey) at Opc.Ua.Security.Certificates.CertificateBuilder.CreateForECDsa() at Opc.Ua.Configuration.ApplicationInstance.d__52.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) at Opc.Ua.Configuration.ApplicationInstance.d__47.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Opc.Ua.Configuration.ApplicationInstance.d__46.MoveNext() --- End of inner exception stack trace ---<--- 

The application does work from our webserver which has the same setup as the VM that gets the above errors.

Hello.

1. From version 2025.1 onwards, it is normal to see multiple certificates, including when you have one with NistP256 and one with NistP384.

2. Which version/build of the library are you using please

3. For troubleshooting, I need the details of the inner exceptions. If you can debug the program, just break at the where the exception is handled, and inspect the .InnerExceptions property of the AggregateException object inside the "main" UAException - specifically, what are their types, and what are their error messages, etc. ? - post it here. If you cannot use the debugger, put in additional code to obtain and log/output this information.

4. Regarding the article you found - in some cases yes, this can be the reason, but it is a specific case so unless the error messages are like those stated in the article, it would be no surprise that it does not help.

5. What is the scope of the problem? Does it happen on one computer with one piece of software? Or on multiple computers with the same software? Etc.

6. You can try this: Make a backup copy of the certificate stores. Then, remove all certificates for your app, from all of them. And retest.

Best regards

Hello!

We are currently running into a situation where we are getting the following error when we start the service: 
OpcLabs.EasyOpc.UA.OperationModel.UAException: An OPC-UA operation failure with error ID 'OpcLabs.{56E6B7CF}' occurred, originating from '' and with depth of 3. The inner exception, with error Id "OpcLabs.{56E6B7CF}", contains details about the problem. ---> System.AggregateException: 2 error(s) occurred, the first one being: UA SDK error (System.Security.Cryptography.CryptographicException) in 'ApplicationInstance.CheckApplicationInstanceCertificates'.

We found the following kb article and confirmed that the permissions are correctly set. =16pxKB Article

We noticed that the new certificate has [NistP in the name and that there are two with the exact time. Could this be part of the issues we are seeing?

ex:
FioPdcDB04 [NistP256][12314512412412412].der 12:35pm
FioPdcDB04 [NistP384][321511241241412].der 12:35pm

Looking forward to your response!