Main Content

OPC UA Certificate Management

For securing communications between the client and the server, OPC UA relies on certificates exchanged during the connection process. Certificates consist of a private key, held by the owner; a public key, shared with communication partners; and a password to unlock the private key. If a certificate is compromised in any way (for example, by exposing the private key to unknown parties) then the certificate can be placed in a Revocation List so that servers know not to trust clients using that certificate.

To ensure that only authorized clients can connect to an OPC UA server, the server administrator might require that any client attempting to connect to the OPC UA server pre-share their Client Application Instance Certificate before a connection can be established. In this case you must export the client public key and the administrator can store that public key in a trust list for the server.

Industrial Communication Toolbox™ automatically generates a Client Application Instance when you first call opcuaserverinfo or construct an OPC UA client with opcua. You use exportClientCertificate to copy the client public key to a file for sharing with server administrators.

Note for Administrators

Currently it is not possible to replace the Client Application Instance Certificate for Industrial Communication Toolbox.

Related Topics