An HTTPS connection requires a certificate on (placed on the OPC UA server side) to be used for performing the message encryption. This certificate is different than the application instance certificate of the OPC UA server. The OPC UA client must validate and trust the server's HTTPS certificate for the connection to work.

If you are accustomed to using HTTPS in the Web browser, you may know that the browser uses machine-wide certificate stores to determine whether the HTTPS certificate of the Web server you are connecting to can be trusted. Typically, the HTTPS certificate is issued by a well-known CA (Certification Authority), and certificates of such authorities come with the browser, and are maintained by the operating system (updates) or on an enterprise IT level.

When an HTTPS server certificate is trusted by the machine-wide mechanism, OPC UA client applications created with QuickOPC will trust it for HTTPS connections to OPC UA servers as well. One option to establish trust for HTTPS server certificates is therefore to use the same mechanism and procedures as for Web browsing. This approach works, but has the disadvantage that it usually requires administrative privileges to manipulate the Internet certificate stores (normally used for Web browsing).

QuickOPC allows you to use additional rules with server HTTPS certificates. By default, OPC UA client applications created with QuickOPC will also trust server HTTPS certificates if they are allowed by the rules for server instance certificates, as described in Trusting OPC UA Server Instance Certificate. This means that by default:

• Certificate will be trusted if issued by one of certification authorities found in a directory-based store at CommonApplicationData\OPC Foundation\CertificateStores\UA Certificate Authorities .
• Certificate will be trusted if found in a directory-based store at CommonApplicationData\OPC Foundation\CertificateStores\UA Applications .
• Certificate not validated by the above rules will be copied to a directory-based store at CommonApplicationData\OPC Foundation\CertificateStores\RejectedCertificates .
• Connections to some of pre-defined trusted endpoint URL strings are always accepted. The trusted endpoint URL list contains endpoints of QuickOPC public demo servers. Such connections should not be considered secure!
• If the application is running in user interactive mode, the user is presented with a notification allowing him/her to accept or reject the certificate.

In the default state, the HttpsCertificateAcceptancePolicy Property of the UAClientEngineParameters Class contains a null reference. In this state, when you change the policy used for trusting server instance certificates, such changes will also automatically apply to trusting server HTTPS certificates.

You can also specify a different certificate acceptance policy for HTTPS server certificates. To do so, create your own instance of the UACertificateAcceptancePolicy Class, set its properties as needed, and assign it to the HttpsCertificateAcceptancePolicy Property. Note that as with any other static properties of the EasyUAClient Class, this has to be done before any OPC UA operations are invoked.