In This Topic

The platform-specific certificate stores are implemented and maintained by the operating system or the runtime. As explained in OPC UA Certificate Stores, you specify the platform-specific certificate store by starting the certificate store path by either "LocalMachine\" or "CurrentUser\".

If the string starts with "LocalMachine\" (case insensitive), it denotes a platform-specific certificate store for the local computer. Commonly used examples are: "LocalMachine\My", "LocalMachine\UA Applications" or "LocalMachine\UA Certificate Authorities".
If the string starts with "CurrentUser\" (case insensitive), it denotes a platform-specific certificate store for the current user. Commonly used examples are: "CurrentUser\My" or "CurrentUser\Root".

The store name follows the prefix.

Some older code or documentation might use the term "Windows certificate store" for certificate stores that can, in fact, now be implemented also on other platforms, such as Linux or macOS. This is due to the Windows origins of such code or documentation. As QuickOPC now supports multiple development platforms and operating systems, in new documents we consistently use the term "platform-specific certificate store" wherever we refer to a general platform-provided certificate store concept. In new documents, we use the term "Windows certificate store" only to refer to a specific implementation of platform-specific certificate store on Windows operating system. Similarly, we would use "Linux certificate store" to refer to a platform-specific certificate store in a way that is implemented in Linux (which may differ by the particular .NET runtime, e.g. .NET Framework vs .NET).

.NET

// This example demonstrates how to place the client certificate in the platform-specific (Windows, Linux, ...) certificate
// store.

using System;
using OpcLabs.EasyOpc.UA;
using OpcLabs.EasyOpc.UA.Application;
using OpcLabs.EasyOpc.UA.OperationModel;

namespace UADocExamples._UAApplicationManifest
{
    class InstanceOwnStorePath
    {
        public static void PlatformSpecific()
        {
            UAEndpointDescriptor endpointDescriptor =
                "opc.tcp://opcua.demo-this.com:51210/UA/SampleServer";
            // or "http://opcua.demo-this.com:51211/UA/SampleServer" (currently not supported)
            // or "https://opcua.demo-this.com:51212/UA/SampleServer/"

            // Set the application certificate store path, which determines the location of the client certificate.
            // Note that this only works once in each host process.
            EasyUAApplication.Instance.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath = "CurrentUser\\My";

            // Do something - invoke an OPC read, to trigger creation of the certificate.
            var client = new EasyUAClient();
            try
            {
                client.ReadValue(endpointDescriptor, "nsu=http://test.org/UA/Data/ ;i=10853");
            }
            catch (UAException uaException)
            {
                Console.WriteLine("*** Failure: {0}", uaException.GetBaseException().Message);
            }

            // The certificate will be located or created in the specified platform-specific certificate store.
            // On Windows, when viewed by the certmgr.msc tool, it will be under
            // Certificates - Current User -> Personal -> Certificates.

            Console.WriteLine("Finished.");
        }
    }
}

# This example demonstrates how to place the client certificate in the platform-specific (Windows, Linux, ...)
# certificate store.

# The QuickOPC package is needed. Install it using "pip install opclabs_quickopc".
import opclabs_quickopc

# Import .NET namespaces.
from OpcLabs.EasyOpc.UA import *
from OpcLabs.EasyOpc.UA.Application import *
from OpcLabs.EasyOpc.UA.OperationModel import *


endpointDescriptor = UAEndpointDescriptor('opc.tcp://opcua.demo-this.com:51210/UA/SampleServer')
# or 'http://opcua.demo-this.com:51211/UA/SampleServer' (currently not supported)
# or 'https://opcua.demo-this.com:51212/UA/SampleServer/'

# Set the application certificate store path, which determines the location of the client certificate.
# Note that this only works once in each host process.
EasyUAApplication.Instance.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath = 'CurrentUser\\My'

# Do something - invoke an OPC read, to trigger creation of the certificate.
client = EasyUAClient()
try:
    value = IEasyUAClientExtension.ReadValue(client,
                                             endpointDescriptor,
                                             UANodeDescriptor('nsu=http://test.org/UA/Data/ ;i=10853'))
except UAException as uaException:
    print('*** Failure: ' + uaException.GetBaseException().Message)

# The certificate will be located or created in the specified platform-specific certificate store.
# On Windows, when viewed by the certmgr.msc tool, it will be under
# Certificates - Current User -> Personal -> Certificates.

print('Finished.')

' This example demonstrates how to place the client certificate in the platform-specific (Windows, Linux, ...) certificate store.

Imports OpcLabs.EasyOpc.UA
Imports OpcLabs.EasyOpc.UA.Application
Imports OpcLabs.EasyOpc.UA.OperationModel

Namespace _UAApplicationManifest
    Friend Class InstanceOwnStorePath
        Public Shared Sub PlatformSpecific()

            ' Define which server we will work with.
            Dim endpointDescriptor As UAEndpointDescriptor =
                    "opc.tcp://opcua.demo-this.com:51210/UA/SampleServer"
            ' or "http://opcua.demo-this.com:51211/UA/SampleServer" (currently not supported)
            ' or "https://opcua.demo-this.com:51212/UA/SampleServer/"

            ' Set the application certificate store path, which determines the location of the client certificate.
            ' Note that this only works once in each host process.
            EasyUAApplication.Instance.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath = "CurrentUser\\My"

            ' Do something - invoke an OPC read, to trigger creation of the certificate.
            Dim client = New EasyUAClient()
            Try
                client.ReadValue(endpointDescriptor, "nsu=http://test.org/UA/Data/ ;i=10853")
            Catch uaException As UAException
                Console.WriteLine("*** Failure: {0}", uaException.GetBaseException.Message)
            End Try

            ' The certificate will be located or created in the specified platform-specific certificate store.
            ' On Windows, when viewed by the certmgr.msc tool, it will be under
            ' Certificates - Current User -> Personal -> Certificates.

            Console.WriteLine("Finished.")
        End Sub
    End Class
End Namespace

COM

// This example demonstrates how to place the client certificate
// in the platform-specific (Windows, Linux, ...) certificate store.

class procedure InstanceOwnStorePath.PlatformSpecific;
var
  Application: TEasyUAApplication;
  Client: OpcLabs_EasyOpcUA_TLB._EasyUAClient;
  ClientManagement: TEasyUAClientManagement;
  Value: OleVariant;
begin
  // The configuration object allows access to static behavior.
  ClientManagement := TEasyUAClientManagement.Create(nil);
  ClientManagement.Connect;

  // Obtain the application interface.
  Application := TEasyUAApplication.Create(nil);

  // Set the application certificate store path, which determines the location of the client certificate.
  // Note that this only works once in each host process.
  Application.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath :=
    'CurrentUser\My';

  // Do something - invoke an OPC read, to trigger creation of the certificate.
  Client := CoEasyUAClient.Create;
  try
    Value := Client.ReadValue(
      //'http://opcua.demo-this.com:51211/UA/SampleServer',
      //'https://opcua.demo-this.com:51212/UA/SampleServer/',
      'opc.tcp://opcua.demo-this.com:51210/UA/SampleServer',
      'nsu=http://test.org/UA/Data/ ;i=10853');
  except
    on E: EOleException do
    begin
      WriteLn(Format('*** Failure: %s', [E.GetBaseException.Message]));
    end;
  end;

  // The certificate will be located or created in the specified platform-specific certificate store.
  // On Windows, when viewed by the certmgr.msc tool, it will be under
  // Certificates - Current User -> Personal -> Certificates.

  WriteLn('Finished...');

  FreeAndNil(Application);
  FreeAndNil(ClientManagement);
end;

// This example demonstrates how to place the client certificate
// in the platform-specific (Windows, Linux, ...) certificate store.


// Obtain the application interface.
$Application = new COM("OpcLabs.EasyOpc.UA.Application.EasyUAApplication");

// Set the application certificate store path, which determines the location of the client certificate.
// Note that this only works once in each host process.
$Application->ApplicationParameters->ApplicationManifest->InstanceOwnStorePath = "CurrentUser\My";

// Do something - invoke an OPC read, to trigger creation of the certificate.
$Client = new COM("OpcLabs.EasyOpc.UA.EasyUAClient");
try
{
    $value = $Client->ReadValue(
        //"http://opcua.demo-this.com:51211/UA/SampleServer", 
        "opc.tcp://opcua.demo-this.com:51210/UA/SampleServer", 
        "nsu=http://test.org/UA/Data/ ;i=10853");
}
catch (com_exception $e)
{
    printf("*** Failure: %s\n", $e->getMessage());
}

// The certificate will be located or created in the specified platform-specific certificate store.
// On Windows, when viewed by the certmgr.msc tool, it will be under
// Certificates - Current User -> Personal -> Certificates.

printf("Finished.\n");

Rem  This example demonstrates how to place the client certificate
Rem in the platform-specific (Windows, Linux, ...) certificate store.

Private Sub InstanceOwnStorePath_PlatformSpecific_Command_Click()
    OutputText = ""
    
    ' Obtain the application interface
    Dim Application As New EasyUAApplication
        
    ' Set the application certificate store path, which determines the location of the client certificate.
    ' Note that this only works once in each host process.
    Application.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath = "CurrentUser\My"

    ' Do something - invoke an OPC read, to trigger creation of the certificate.
    Dim client As New EasyUAClient
    On Error Resume Next
    Dim value As Variant
    value = client.ReadValue("opc.tcp://opcua.demo-this.com:51210/UA/SampleServer", "nsu=http://test.org/UA/Data/ ;i=10853")
    If Err.Number <> 0 Then
        OutputText = OutputText & "*** Failure: " & Err.Source & ": " & Err.Description & vbCrLf
        Exit Sub
    End If
    On Error GoTo 0

    ' The certificate will be located or created in the specified platform-specific certificate store.
    ' On Windows, when viewed by the certmgr.msc tool, it will be under
    ' Certificates - Current User -> Personal -> Certificates.
    
    OutputText = OutputText & "Finished..." & vbCrLf
End Sub

Rem This example demonstrates how to place the client certificate in the platform-specific (Windows, Linux, ...) certificate 
Rem store.
Rem Note: COM is only available on Windows.

Option Explicit

WScript.Echo "Obtaining the application interface..."
Dim Application: Set Application = CreateObject("OpcLabs.EasyOpc.UA.Application.EasyUAApplication")

' Set the application certificate store path, which determines the location of the client certificate.
' Note that this only works once in each host process.
WScript.Echo "Setting the application certificate store path..."
Application.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath = "CurrentUser\My"

WScript.Echo "Creating a client object..."
Dim Client: Set Client = CreateObject("OpcLabs.EasyOpc.UA.EasyUAClient")

' Do something - invoke an OPC read, to trigger some loggable entries.
WScript.Echo "Reading a value..."
On Error Resume Next
Dim value: value = Client.ReadValue("opc.tcp://opcua.demo-this.com:51210/UA/SampleServer", "nsu=http://test.org/UA/Data/ ;i=10853")
If Err.Number <> 0 Then
    WScript.Echo "*** Failure: " & Err.Source & ": " & Err.Description
    WScript.Quit
End If
On Error Goto 0

' The certificate will be located or created in the specified platform-specific certificate store.
' On Windows, when viewed by the certmgr.msc tool, it will be under
' Certificates - Current User -> Personal -> Certificates.

WScript.Echo "Finished."

Windows Certificate Stores (X509Store)

Windows has a support for certificate stores built into the operating system, and corresponding APIs and tools to access the certificate stores. On Windows, QuickOPC simply uses the mechanisms provided by Windows to support platform-specific certificate stores. For more information about Windows certificate stores, see e.g. Managing Certificates with Certificate Stores and How to Use the Certificates Console.

To manage the local computer certificates on Windows, type certlm.msc into the Windows search box, and press Enter. You will need administrative privileges to manage the local computer certificates.

To manage the certificates for the current user on Windows, type certmgr.msc into the Windows search box, and press Enter.

Note, however, that the logical store names displayed by the management console are not the same as the physical certificate store names, and that some stores may not be displayed at all.

OPC Foundation has a UA Configuration Tool which can be used to manage the certificates related to OPC UA on Windows machines (both in the directory certificate stores, and in Windows certificate stores). QuickOPC includes this tool in the Bonus Material part of its full installation for Windows. You can access the UA Configuration Tool from the Start menu (under QuickOPC program group), or using the QuickOPC Launcher application.

Linux Certificate Stores

On Linux under .NET, the platform-specific certificate stores are implemented as follow:

The certificates for the local computer are stored according to the rules valid on the particular Linux distro.
The certificates for the current user are stored using an internal .NET runtime-specific mechanism (which currently appears to be a dedicated directory under ~/.dotnet, but that is considered an implementation detail that may change in future versions).

For more information, see e.g. Provide a way for sysadmins to manage the .Net Core "My" certificate store on non-Windows platforms .

External

Managing Certificates with Certificate Stores

How to Use the Certificates Console

Provide a way for sysadmins to manage the .Net "My" certificate store on non-Windows platforms

Examples - OPC UA Administration

Examples - OPC Unified Architecture - Certificate in the platform-specific certificate store