Application Certificate for OPC UA Source Systems

X.509 V3 Certificates for a Secure Connection

To be able to set up a secure connection, you need to have chosen the security mode Sign or SignAndEncrypt for the endpoint. In this case, in PCo, you need a valid X.509 v3 certificate. This certificate can either be self-signed, or the validity of the certificate needs to be guaranteed by a trusted certification authority (CA).

You can generate and automatically assign a self-signed certificate directly in the application. These self-signed certificates are stored as application certificates with a private key in the Microsoft certificate store. You can decide yourself whether you want to store the certificate under current user or under local computer in the certificate store. In this area, you can still select the folder. For more information, see Generate and Assign a Self-Signed Certificate.

In both cases, the service user under whose user account the OPC UA agent instance is running, must be able to access the private key.

The certificate needs to enable the following usages:

• digitalSignature

• nonRepudiation

• keyEncipherment

• dataEncipherment

If you generate the certificates yourself, another URI, which identifies the application, should be given in the Subject Alternative Name field of the certificate.