TopView engine unable to connect to OPC UA server: SHA 1 Certificates are not trusted

TopView engine unable to connect to OPC UA server: SHA 1 Certificates are not trusted

Issue

The TopView engine was unable to connect to the OPC UA server due to certificate issues. When inspecting the logs, we could see similar error messages to those that would occasionally appear when testing connections.

This issue may show as the following error messages when testing connections in TopView Configurator:
Certificate status: BadCertificatePolicyCheckFailed (code: 2165571584)
SHA1 signed certificates are not trusted.

You may see the following when running an engine:
Failed to connect to session using alias "[aliasname]"
...and the following in the Application Log file (accessible in the TopView Admin Tools application):
Certificate from "CN=[...]" has the following issue: BadCertificatePolicyCheckFailed 'SHA1 signed certificates are not trusted.'
Rejecting certificate from "CN=[...]"

Solutions

  1. In TopView's UA settings, you can switch to automatically accept server certificates for both the Configurator and Engine processes:
    1. To get to TopView's UA settings, go to the "Tags & Limits" page, click the "Gear" button next to the "Server" textbox (above and to the left of the "Add tags (tags search)..." button.
    2. Auto-accepting certificates is not a best practice security-wise, but if you only plan to connect to known servers and can trust that you will only be connecting to approved servers, this may be OK.
  2. Switch to an XML UA configuration file in which you include a line to not reject SHA1 Signed Certificates
    1. XML configuration information below

XML Configuration instructions

Add the SHA1 rejection tag within the security configuration element similar to the following:
  1.     <SecurityConfiguration>
  2.       <RejectSHA1SignedCertificates>false</RejectSHA1SignedCertificates>
  3.     </SecurityConfiguration>


    • Related Articles

    • TopView Engine in "Startup"

      Background When a TopView Engine starts or performs an internal restart, it enters the "Startup" operating state. Once "Startup" has completed the Engine will be in the "Running" operating state.  Startup includes the following tasks: Reading the ...
    • TopView OPC cannot connect as Service

      This article is useful if TopView connects to your OPC server when run interactively, but cannot connect to remote OPC Server(s) when you run TopView as a Service. Interactive applications (non-Service) run under the account of the logged in ...
    • ClearSCADA connection fails with: "Error: CheckConnectionToServer > error creating group : AddGroup failed with error"

      If you receive an error connecting to ClearSCADA with the following error message: ClearSCADA can be set up to use OPC private security and require credentials for permissions to connect to the server and retrieve tag values. To connect, provide the ...
    • Citect OPC Server on Windows 7

      This is a general support posting regarding TopView OPC communicating to Citect OPC Server on Windows 7. The two issues that a TopView user may experience are: TopView can connect to the OPC Server but reports that the server is not in a “running” ...
    • Windows patches and TopView

      Windows patches affect TopView operation. To ensure TopView runs successfully after a Windows patch, we recommend the following during the patching process: Shut down TopView Engine services before Windows patches Apply the Windows patch After the ...