How to:

Connect in secured mode.

To connect in secured mode, set option securityMode in the ClientConfiguration to SecurityMode(SecurityPolicyId::Basic256Sha256, MessageSecurityMode::SignAndEncrypt).

Certificate validation rules defined in option certificateSettings.validationRules of the ClientConfiguration.

If the server certificate is not valid or trusted, it will be saved in the ./data/PKI/rejected folder. To trust the certificate, move it to the folder ./data/PKI/trusted/certs. If the certificate is signed by CA, then one certificate from the chain should be placed in the ./data/PKI/trusted/certs folder, all CA certificates must be placed either into the ./data/PKI/trusted/certs or ./data/PKI/issuer/certs folder, and all certificate revocation lists should be placed into the ./data/PKI/crl folder.

By default the SDK creates CA certificate and signs application instance certificate with it, and stores them in the ./data/PKI folder, relative to the work directory. 3 files required to configure the server to trust the client certificate:

  1. ./data/PKI/own/certs/ca-cert.der - CA Certificate - copy it into the trusted or issuer certificates folder in the server side. Locations depend on the server. In case of OPC UA C++ Demo server from Unified Automation, default location of the trusted certificates is C:\ProgramData\UnifiedAutomation\UaCPPServer\pkiserver\trusted\certs, issuers - in folder C:\ProgramData\UnifiedAutomation\UaCPPServer\pkiserver\issuers\certs.

Difference between putting CA Certificate into trusted or issuers list: if you put it into the trusted folder, then all certificates signed by it directly or indirectly will be trusted by the server. If you put it into the issuers list - application instance certificate needs to be placed into the trusted list.

  1. ./data/PKI/own/certs/ca-cert.crl - revocation list for the CA certificate - for UA Demo server copy it to the folder C:\ProgramData\UnifiedAutomation\UaCPPServer\pkiserver\trusted\crl

  2. ./data/PKI/own/certs/public_Basic256Sha256.der - Application instance certificate - if the CA certificate is in the trusted list folder of the server, no need to copy this one. If the CA Certificate is in the issuers list, then copy it into the trusted certificates folder of the server (UA Demo server - C:ProgramDataUnifiedAutomationUaCPPServerpkiservertrustedcerts).