In This Topic

In a secured OPC-UA solution, the OPC server identifies itself to the OPC client using its instance certificate. The OPC client authenticates the certificate and checks whether the communication with that OPC server is authorized. Typically, the process of checking other party’s instance certificate is achieved through use of certificate trust lists, accessible programmatically and by means of UA Configuration Tool (installed with our product, and with OPC-UA downloads provided by OPC Foundation).

In QuickOPC-UA, you can control how server instance certificates are trusted using Certificate Acceptance Policy (UACertificateAcceptancePolicy object) that you can parameterize in the EngineParameters property on the EasyUAClient object.

By default:

Certificate will be trusted if issued by one of certification authorities found in a "Trusted Issuers" certificate store, while default to a directory-based store at CommonApplicationData\OPC Foundation\CertificateStores\UA Certificate Authorities .
Certificate will be trusted if found in a "Trusted Peers" certificate store, which defaults to a directory-based store at CommonApplicationData\OPC Foundation\CertificateStores\UA Applications .
Certificate not validated by the above rules will be copied to a "Rejected" certificate store, which defaults to a directory-based store at CommonApplicationData\OPC Foundation\CertificateStores\RejectedCertificates .
Connections to some of pre-defined trusted endpoint URL strings are always accepted. The trusted endpoint URL list contains endpoints of QuickOPC public demo servers. Such connections should not be considered secure!
If the application is running in user interactive mode, the user is presented with a notification allowing him/her to accept or reject the certificate.

When targeting .NET 6 or 7, the certificate stores listed above are "rooted" under your application's executable directory, and not under a shared location (CommonApplicationData). See OPC UA Certificate Stores for more information.

Certificates issued by a certification authority (CA) must contain a verifiable certificate chain leading to the CA. QuickOPC requires that the root (CA) certificate must be included in the chain as well.

As you can see from the rules described above, a certificate that is not initially trusted by the client will be copied to the "Rejected" certificate store. If you know that the server certificate should be trusted, you can locate this rejected certificate and manually move it to the "Trusted Peers" certificate store, which will make it trusted next time it is provided by the server to the client.

Trust Settings

In Certificate Acceptance Policy

The TrustedEndpointUrlStrings property contains an array of endpoint URLs that are always trusted, without regard for the certificate provided. By default, this list contains endpoint URLs of the demo OPC UA Sample Server on the Internet (opcua.demo-this.com) and the local OPC UA Sample Server, meaning that you will always be able to use the sample servers from QuickOPC-UA, even if configuration of its instance certificate, or configuration of trusted certificate list for QuickOPC-UA has done been done properly. In a fully secure configuration, this list should be empty.

The AcceptAnyCertificate property determines whether the client accepts any server certificate, even if a certificate validation error occurs. Setting this property to true effectively bypasses an important security feature in OPC Unified Architecture. Use it only for testing and development purposes, or if your application does not require the server certificate check.

The AllowUserAcceptCertificate property determines whether the interactive user can be prompted to and accept a server certificate that has failed other validation checks. This setting has effect only when the current process is running in user interactive mode.

The CheckTimeValidAndNested Property determines whether the time value in the certificate will be checked for validity (e.g. does not indicate that the certificate has expired) and that the CA certificate and the issued certificate have validity periods that are nested.

The RequireRevocationStatusKnown Property determines whether it is required that it must be possible to determine whether the certificate has been revoked.

Elsewhere

The type and location of trusted issuers certificate store can be controlled by EasyUAApplication.ApplicationParameters.ApplicationManifest.InstanceIssuerStorePath Property. By default, QuickOPC-UA uses a standard directory-based store defined by OPC Foundation (“UA Certificate Authorities”).

The type and location of trusted peers certificate store can be controlled by EasyUAApplication.ApplicationParameters.ApplicationManifest.InstanceTrustedStorePath Property property. By default, QuickOPC-UA uses a standard directory-based store defined by OPC Foundation (“UA Applications”).

The path to the rejected certificate store can be controlled by EasyUAApplication.ApplicationParameters.ApplicationManifest.RejectedStorePath Property property. By default, QuickOPC-UA uses a standard directory-based store defined by OPC Foundation (“RejectedCertificates”).

Some finer details regarding the server instance checking process can be controlled by a configuration file, if you correspondingly configure the EasyUAClient.SharedParameters.EngineParameters.ConfigurationSources. For more information, see “Application Configuration” chapter under “Advanced Topics”.

Refreshing Trust Lists from the GDS

If your OPC UA setup includes an OPC UA Global Registration Server (GDS), you might be able to acquire the trust lists from the GDS (in the role of Certificate Manager, CM) and refresh the certificate stores accordingly. For more information, see OPC UA Client-Server Application Service (or, less preferrably, OPC UA Certificate Management Client).

Reference

UACertificateAcceptancePolicy Class

UAClientEngineParameters Class

CertificateAcceptancePolicy Property (in UAClientEngineParameters Class)

UAEndpointDescriptor Class