Certificate Store Types
OPC Studio can work with certificates located in certificate stores. Certificate stores are of different types; they are either:
- platform-specific certificate store (Windows, Linux, macOS, ...), or
- directory in a file system.
For more details on each of these types, see OPC UA Platform-specific Certificate Stores and OPC UA Directory Certificate Stores.
Which certificate store type should I use?
Either store type has its advantages. The Windows store (X509Store) is more secure. For trusted peers and trusted issuers, the directory store is recommended, because the X509Store does not support CRLs (certificate revocation lists) and is harder to manage.
Certificate Store Path
The certificate store is identified by a string, called certificate store path. The syntax and semantics of this string is as follows:
- If the string starts with "LocalMachine\" (case insensitive), it denotes a platform-specific certificate store for the local computer. The store name follows this prefix.
- If the string starts with "CurrentUser\" (case insensitive), it denotes a platform-specific certificate store for the current user. The store name follows this prefix.
- Otherwise, the string denotes a certificate store located in a file system directory, and the value is equal to the directory path. The string can contain replaceable tokens that refer to specific locations. For details, see OPC UA Directory Certificate Stores.
Certificate Store Locations
OPC Data Client uses several certificate stores for its operations. The location of the stores is given by various parameters. The stores are:
- Application certificate store. A client application created with OPC Data Client looks for or creates its own instance certificate here. The location of the store is controlled by EasyUAApplication.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath Property. For more details, see Providing OPC UA Client Instance Certificate. The application instance certificates in this store include the private keys.
- Rejected certificate store. Server certificates that fail validation are placed into this store. Normally the certificates in this store do not include the private key, but in some cases they may (when the validation of application's own instance certificate fails - as opposed to validation of certificate belonging to the other communication party).
- Trusted issuers certificate store. Contains certificates of Certification Authorities to be trusted.
- Trusted peers certificate store. Contains specific OPC UA application instance certificates to be trusted.
For details on rejected certificate store, trusted issuers certificate store and trusted peers certificate store, see Trusting OPC UA Server Instance Certificate and Trusting OPC UA Server HTTPS Certificate.
Default Settings
When targeting .NET Framework, all certificates that OPC Data Client works with are located in some "shared" directory-based certificate store by default. Specifically:
- Default application certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\MachineDefault".
- Default rejected certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\RejectedCertificates".
- Default trusted issuers certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\UA Certificate Authorities".
- Default trusted peers certificate store is "%CommonApplicationData%\OPC Foundation\CertificateStores\UA Applications".
On Windows, the %CommonApplicationData% token typically resolves to something like "C:\ProgramData" (note that this folder is hidden by default). See OPC UA Directory Certificate Stores for more details.
When targeting .NET 6+, all certificates that OPC Data Client works with are located in a directory-based certificate store under the current working directory by default. Specifically:
- Default application certificate store is "%LocalFolder%/OPC Foundation/CertificateStores/MachineDefault".
- Default rejected certificate store is "%LocalFolder%/OPC Foundation/CertificateStores/RejectedCertificates".
- Default trusted issuers certificate store is "%LocalFolder%/OPC Foundation/CertificateStores/UA Certificate Authorities".
- Default trusted peers certificate store is "%LocalFolder%/OPC Foundation/CertificateStores/UA Applications".
See OPC UA Directory Certificate Stores for explanation of the "%LocalFolder"% token, and more details.
Other commonly used setting for application certificate store location under .NET 6+ is "CurrentUser\UA_MachineDefault".
Certificate Store Security
In a secure deployment, the certificate store itself (that is, read and write access to the certificates it contains) must be secured. OPC Studio program needs appropriate permissions to read from (and sometimes write to) the certificate stores. At the same time, access should be denied to unauthorized actors. This is most critical for the write access to the stores (and for read access to the private key parts). Securing the certificate stores is outside of OPC Studio scope.
By default, OPC Studio does not use passwords to access certificate private keys, and the certificates it creates are not protected by passwords. Be aware that the private keys in OPC UA certificate stores for OPC Studio usage may not protected by passwords. For enhanced protection, OPC Studio also allows passwords to be used to protect the private keys.
See Also
Examples - OPC UA Application
