OPC UA Certificate Management
OPC UA secures communications between the client and the server by verifying certificates exchanged during the connection process. Certificates consist of a private key, held by the owner; a public key, shared with communication partners; and a password to unlock the private key. If a certificate is compromised in any way (for example, if a private key is exposed to an unknown party) then you can place the certificate in a revocation list so that servers know not to trust clients using that certificate.
To ensure that only authorized clients can connect to an OPC UA server, the server administrator might require that any client attempting to connect to the OPC UA server preshare their Client Application Instance Certificate before a connection can be established. If you use this option, you must export the client public key and the administrator can store that public key in a trust list for the server.
Industrial Communication Toolbox™ automatically generates a user-specific application instance client
certificate when you first call opcuaserverinfo or construct an OPC UA client with opcua. You use exportClientCertificate to copy the client application certificate to a
file for sharing with server administrators. To connect your OPC UA client with a server
using connect, ensure that the client
application certificate is in the trust store of the OPC UA server.
Before R2025a, the toolbox generates a machine-specific application instance client certificate.
Note for Administrators
Currently, you cannot replace the Client Application Instance Certificate for Industrial Communication Toolbox.
