An HTTPS connection requires a certificate on (placed on the OPC UA server side) to be used for performing the message encryption. This certificate is different than the application instance certificate of the OPC UA server. The OPC UA client must validate and trust the server's HTTPS certificate for the connection to work.
If you are accustomed to using HTTPS in the Web browser, you may know that the browser uses machine-wide certificate stores to determine whether the HTTPS certificate of the Web server you are connecting to can be trusted. Typically, the HTTPS certificate is issued by a well-known CA (Certification Authority), and certificates of such authorities come with the browser, and are maintained by the operating system (updates) or on an enterprise IT level.
When an HTTPS server certificate is trusted by the machine-wide mechanism, OPC UA client applications created with OPC Studio will trust it for HTTPS connections to OPC UA servers as well. One option to establish trust for HTTPS server certificates is therefore to use the same mechanism and procedures as for Web browsing. This approach works, but has the disadvantage that it usually requires administrative privileges to manipulate the Internet certificate stores (normally used for Web browsing).
OPC Studio allows you to use additional rules with server HTTPS certificates. By default, OPC UA client applications created with OPC Studio will also trust server HTTPS certificates if they are allowed by the rules for server instance certificates, as described in Trusting OPC UA Server Instance Certificate. This means that by default:
CommonApplicationData\OPC Foundation\CertificateStores\UA Certificate Authorities
.CommonApplicationData\OPC Foundation\CertificateStores\UA Applications
.CommonApplicationData\OPC Foundation\CertificateStores\RejectedCertificates
.In the default state, the HttpsCertificateAcceptancePolicy Property of the UAClientEngineParameters Class contains a null reference. In this state, when you change the policy used for trusting server instance certificates, such changes will also automatically apply to trusting server HTTPS certificates.
You can also specify a different certificate acceptance policy for HTTPS server certificates. To do so, create your own instance of the UACertificateAcceptancePolicy Class, set its properties as needed, and assign it to the HttpsCertificateAcceptancePolicy Property. Note that as with any other static properties of the EasyUAClient Class, this has to be done before any OPC UA operations are invoked.