Best Practices for Configuring the OPC UA Application

The following list contains the best practices and recommendations that you can follow when configuring the OPC UA application configuration file.

Security

  • Always set AutoAcceptUntrustedCertificates to false in production.

  • Use the SignAndEncrypt_3 security mode.

  • Reject SHA-1 certificates.

  • Use minimum 2048-bit RSA keys.

  • Use 256-bit or higher for ECC certificates.

  • Regularly update trust lists.

  • Enable certificate revocation checking.

Performance

  • Tune operation limits based on use case.

  • Use appropriate message and buffer sizes.

  • Configure realistic timeouts.

  • Use subscriptions for real-time data.

  • Implement data paging for large datasets.

Reliability

  • Configure appropriate session timeouts.

  • Set reasonable channel lifetimes.

  • Implement error handling for certificate issues.

  • Monitor rejected certificate store.

  • Enable trace logging for diagnostics.

Maintenance

  • Use environment variables for portable paths.

  • Document custom configuration changes.

  • Version control configuration files.

  • Test configuration changes in development first.

  • Regular security audits.