OPC Studio User's Guide and Reference
Trusting OPC UA Peer Instance Certificate
Fundamentals > Common Fundamentals > Security > OPC UA Client-Server Security > Trusting OPC UA Peer Instance Certificate
In This Topic

In a secured OPC-UA solution, the OPC server identifies itself to the OPC client using its instance certificate. The OPC client authenticates the certificate and checks whether the communication with that OPC server is authorized. Typically, the process of checking other party’s instance certificate is achieved through use of certificate trust lists, accessible programmatically and by means of UA Configuration Tool (installed with our product, and with OPC-UA downloads provided by OPC Foundation).

By default:

When targeting .NET 6 or 8, the certificate stores listed above are "rooted" under your application's executable directory, and not under a shared location (CommonApplicationData). See OPC UA Certificate Stores for more information.
Certificates issued by a certification authority (CA) must contain a verifiable certificate chain leading to the CA. OPC Data Client requires that the root (CA) certificate must be included in the chain as well.

As you can see from the rules described above, a certificate that is not initially trusted by the client will be copied to the "Rejected" certificate store. If you know that the server certificate should be trusted, you can locate this rejected certificate and manually move it to the "Trusted Peers" certificate store, which will make it trusted next time it is provided by the server to the client.

In OPC UA clients developed with OPC Studio (OPC Data Client), you can control how server instance certificates are trusted using Certificate Acceptance Policy (UACertificateAcceptancePolicy object) that you can parameterize in the EngineParameters property of the static SharedParameters Property of the EasyUAClient object.

In OPC UA servers developed with OPC Studio (OPC Wizard), you can control how client instance certificates are trusted using the Certificate Acceptance Policy object(UACertificateAcceptancePolicy Class) in the CertificateAcceptancePolicy Property in the EngineParameters Property of the static SharedParameters Property of the EasyUAServer Class.

Trust Settings

In Certificate Acceptance Policy

In OPC UA client application, the TrustedEndpointUrlStrings property contains an array of endpoint URLs that are always trusted, without regard for the certificate provided. By default, this list contains endpoint URLs of the demo OPC UA Sample Server on the Internet (opcua.demo-this.com) and the local OPC UA Sample Server, meaning that you will always be able to use the sample servers from OPC Data Client-UA, even if configuration of its instance certificate, or configuration of trusted certificate list for OPC Studio has done been done properly. In a fully secure configuration, this list should be empty.

The AcceptAnyCertificate property determines whether the client accepts any server certificate, even if a certificate validation error occurs. Setting this property to true effectively bypasses an important security feature in OPC Unified Architecture. Use it only for testing and development purposes, or if your application does not require the server certificate check.

The AllowUserAcceptCertificate property determines whether the interactive user can be prompted to and accept a server certificate that has failed other validation checks.  This setting has effect only when the current process is running in user interactive mode.

The CheckTimeValidAndNested Property determines whether the time value in the certificate will be checked for validity (e.g. does not indicate that the certificate has expired) and that the CA certificate and the issued certificate have validity periods that are nested.

The RequireRevocationStatusKnown Property determines whether it is required that it must be possible to determine whether the certificate has been revoked.

Elsewhere

The type and location of trusted issuers certificate store can be controlled by EasyUAApplication.ApplicationParameters.ApplicationManifest.InstanceIssuerStorePath Property. By default, programs based on OPC Studio use a standard directory-based store defined by OPC Foundation (“UA Certificate Authorities”).

The type and location of trusted peers certificate store can be controlled by EasyUAApplication.ApplicationParameters.ApplicationManifest.InstanceTrustedStorePath Property property. By default, programs based on OPC Studio use a standard directory-based store defined by OPC Foundation (“UA Applications”).

The path to the rejected certificate store can be controlled by EasyUAApplication.ApplicationParameters.ApplicationManifest.RejectedStorePath Property property. By default, programs based on OPC Studio use a standard directory-based store defined by OPC Foundation (“RejectedCertificates”).

Some finer details regarding the server instance checking process can be controlled by a configuration file, if you correspondingly configure the EasyUAClient.SharedParameters.EngineParameters.ConfigurationSources. For more information, see “Application Configuration” chapter under “Advanced Topics”.

Refreshing Trust Lists from the GDS

If your OPC UA setup includes an OPC UA Global Registration Server (GDS), you might be able to acquire the trust lists from the GDS (in the role of Certificate Manager, CM) and refresh the certificate stores accordingly. For more information, see OPC UA Client-Server Application Service (or, less preferably, OPC UA Certificate Management Client).

See Also

Concepts

Reference