OPC UA uses X.509 certificates to authenticate applications (both client and server): each application holds its own certificate, and trust is established mutually through the exchange that happens during the SecureChannel handshake.
True
Each OPC UA application owns an Application Instance Certificate together with its private key. During the SecureChannel handshake the client presents its certificate, the server presents its own, and each side checks the other against its local Trust List (accepted certificates) and Rejected List (explicitly refused certificates). The first connection attempt from a new client typically fails with BadCertificateUntrusted; the administrator then moves the certificate from the Rejected to the Trusted folder and the second attempt succeeds. This two-way model means there is no central authority required for small deployments.
Always export the server certificate fingerprint from the engineering tool and verify it on the device front panel before approving trust: copy-pasting trust without checking the fingerprint defeats the whole mutual-authentication design.
OPC UA bank in preparation
The full OPC UA bank isn't available yet. Drop your email to get notified at launch and grab an early-bird discount.
Join the waitlist →See the 9 other OPC UA practice questions
Related questions
- OPC UA supports two communication patterns: Client/Server (the classic Request/Response model) and Pub/Sub (publish/subscribe over MQTT or UDP multicast/unicast), the latter introduced in version 1.04 to address Industrie 4.0 use cases.1. Architecture · Client/Server vs. Pub/Sub
- The OPC UA Address Space is a hierarchical structure of Nodes linked by typed References (HasComponent, HasProperty, HasTypeDefinition, etc.), exposed as a graph that clients can walk through the Browse service.1. Architecture · Address Space
- The main OPC UA Service Sets are: Discovery, SecureChannel, Session, NodeManagement, View, Query, Attribute (Read/Write), MonitoredItem, Subscription, and Method (Call).3. Services · Hauptsächliche Service Sets
- OPC UA separates Application authentication (the client/server X.509 certificate) from User authentication (the actual end-user login), which can be Anonymous, Username/Password, or User Certificate.4. Security · User-Authentifizierung
- PA-DIM (Process Automation Device Information Model) is an OPC UA Companion Specification for process transmitters (temperature, pressure, flow, level), standardising 70+ parameters that are read identically on Endress+Hauser, Yokogawa, Siemens and ABB devices.6. Companion Specs · PA-DIM