OPC UA Client and Server Certificate Exchange

When testing the OPC UA connection, you may be asked whether you want to trust the server's certificate, which you have to do to allow the connection. This topic describes what happens behind the scenes.

Both the server and the client have their own certificate. A certificate is a piece of information about the server or client, similar to a driver's license or a business card in real life. Servers and clients typically get their certificates when they are installed, but your IT department may also assign certificates to them.

When creating a connection, the server and client exchange their certificates to introduce themselves (just like business cards). Unlike normal conversation, servers and clients cannot talk to each other, unless it is allowed by an administrator. Therefore they put the certificate of the other party into the Rejected store, reject the connection request, and wait for the administrator to approve the connection. This is for security reason.

The administrator may then allow the connection by moving the certificate from the Rejected store into the Trusted store. And this is what happens when you click Trust the server certificate when testing the connection.

The OPC UA Point Manager (OPC UA PM) is based on the OPC Foundation SDK. This implies that some parts of the configuration follow exactly the same rules as the OPC Foundation SDK implementation. Among these configurations, we have the Public Key Infrastructure (PKI) folder where the certificates are stored. In some cases, you may be required to copy the Takebishi Device Explorer and FrameWorX Server certificates to the OPC Foundation folder. Learn more