OPC Studio User's Guide and Reference
OPC UA Certificate Stores
Common Fundamentals > Security > OPC UA Client-Server Security > OPC UA Certificate Stores
In This Topic

Certificate Store Types

OPC Studio can work with certificates located in certificate stores. Certificate stores are of different types; they are either:

For more details on each of these types, see OPC UA Platform-specific Certificate Stores and OPC UA Directory Certificate Stores.

Which certificate store type should I use?

Either store type has its advantages. The Windows store (X509Store) is more secure. For trusted peers and trusted issuers, the directory store is recommended, because the X509Store does not support CRLs (certificate revocation lists) and is harder to manage. 

Certificate Store Path

The certificate store is identified by a string, called certificate store path. The syntax and semantics of this string is as follows:

Certificate Store Locations

OPC Data Client uses several certificate stores for its operations. The location of the stores is given by various parameters. The stores are:

For details on rejected certificate store, trusted issuers certificate store and trusted peers certificate store, see Trusting OPC UA Server Instance Certificate and Trusting OPC UA Server HTTPS Certificate.

Default Settings

When targeting .NET Framework, all certificates that OPC Data Client works with are located in some "shared" directory-based certificate store by default. Specifically:

On Windows, the %CommonApplicationData% token typically resolves to something like "C:\ProgramData" (note that this folder is hidden by default). See OPC UA Directory Certificate Stores for more details.

When targeting .NET 6+, all certificates that OPC Data Client works with are located in a directory-based certificate store under the current working directory by default. Specifically:

See OPC UA Directory Certificate Stores for explanation of the "%LocalFolder"% token, and more details.

Other commonly used setting for application certificate store location under .NET 6+ is "CurrentUser\UA_MachineDefault".

Certificate Store Security

In a secure deployment, the certificate store itself (that is, read and write access to the certificates it contains) must be secured. OPC Studio program needs appropriate permissions to read from (and sometimes write to) the certificate stores. At the same time, access should be denied to unauthorized actors. This is most critical for the write access to the stores (and for read access to the private key parts). Securing the certificate stores is outside of OPC Studio scope.

By default, OPC Studio does not use passwords to access certificate private keys, and the certificates it creates are not protected by passwords. Be aware that the private keys in OPC UA certificate stores for OPC Studio usage may not protected by passwords. For enhanced protection, OPC Studio also allows passwords to be used to protect the private keys.

 

See Also

Examples - OPC UA Application