OPC UA Asset Connection: save rejected server certificates

tbischoff2 · mjacoby · commit fc030c88a12a · 2026-01-29T15:32:28.000+01:00
diff --git a/assetconnection/opcua/src/main/java/de/fraunhofer/iosb/ilt/faaast/service/assetconnection/opcua/util/OpcUaHelper.java b/assetconnection/opcua/src/main/java/de/fraunhofer/iosb/ilt/faaast/service/assetconnection/opcua/util/OpcUaHelper.java
@@ -45,8 +45,8 @@
 import org.eclipse.milo.opcua.stack.core.UaException;
 import org.eclipse.milo.opcua.stack.core.UaServiceFaultException;
 import org.eclipse.milo.opcua.stack.core.security.DefaultClientCertificateValidator;
+import org.eclipse.milo.opcua.stack.core.security.FileBasedCertificateQuarantine;
 import org.eclipse.milo.opcua.stack.core.security.FileBasedTrustListManager;
-import org.eclipse.milo.opcua.stack.core.security.MemoryCertificateQuarantine;
 import org.eclipse.milo.opcua.stack.core.transport.TransportProfile;
 import org.eclipse.milo.opcua.stack.core.types.builtin.DataValue;
 import org.eclipse.milo.opcua.stack.core.types.builtin.ExpandedNodeId;
@@ -408,8 +408,9 @@ private static OpcUaClient createClient(OpcUaAssetConnectionConfig config)
         DefaultClientCertificateValidator certificateValidator;
         try {
             Files.createDirectories(config.getSecurityBaseDir());
-            certificateValidator = new DefaultClientCertificateValidator(FileBasedTrustListManager.createAndInitialize(SecurityPathHelper.pki(config.getSecurityBaseDir())),
-                    new MemoryCertificateQuarantine());
+            Path pkiDir = SecurityPathHelper.pki(config.getSecurityBaseDir());
+            certificateValidator = new DefaultClientCertificateValidator(FileBasedTrustListManager.createAndInitialize(pkiDir),
+                    FileBasedCertificateQuarantine.create(pkiDir.resolve("rejected")));
         }
         catch (IOException e) {
             throw new ConfigurationInitializationException("unable to initialize OPC UA client security", e);
