Liability of Application Instance Certificates

Unified Architecture topics related to OPC UA Specification, compliant behavior and any technical issues of OPC UA, like Security, Information Model, Companion Specs DI, PLCopen, ADI, ...

Moderator: Support Team

Post Reply
Jr. Member
Jr. Member
Posts: 1
Joined: 27 Feb 2020, 10:16

Liability of Application Instance Certificates

Post by RST »

Dear Support Team,

the term Application Instance Certificate suggests that by the use of this kind of certificate it can be guaranteed that only a single instance of an application can for example connect to an OPC UA server who trusts this certificate. But actually any application knowing this certificate could use it to establish a secure channel. To my knowledge, there is no mechanism that would check for agreement of the application described by the certificate and the one using it. One example is UaExpert where it is possible to exchange the own certificate by any self or CA signed certificate as long as it defines an ApplicationURI. Even the host can differ.

My first impression was that the maximum number of OPC UA clients to an OPC UA server could be technically restricted by using Application Instance Certificates. But this additionally requires secret keeping and discipline. Is this true or am I missing something?


User avatar
Support Team
Hero Member
Hero Member
Posts: 2666
Joined: 18 Mar 2011, 15:09

Re: Liability of Application Instance Certificates

Post by Support Team »


even though I thought this thread was answered already, the anwer is missing now. I will answer again.

your assumption is wrong and you are missing quite a bit here. You can use application instance certificates (like passport for humans) to control who can access your server and who can not. Of course you must ensure that your passport does not get stolen and reused by someone else to cross the border. Therefore you must carefully protect your private key (that is why it is called "private"). Such private key must be stored in access protected area (might be protected file system, certificate store, or some secure element or TPM module).

The UaExpert is a test tool and was designed to reuse certificates. UaExpert stores the certificate in "protected" area in file system where only UaExpert's user has access permission. However if you have root access to the file system, you probably can access (or destroy anything else on the computer), hence you should configure your PC correctly. The private key can be stored encrypted and pwd protected, so even when got stolen is of no use.

If your server trusts a CA, it will automatically trust all certificates that this CA has signed, that means the CA controls who has access, not the server. If the server should have control, the server must trust individually, each (self signed) client certificate separately.

The number of connections (clients) a server allows in parallel, can be controlled by the number of "sessions", which is a configuration parameter in the server, but has nothing to do with certificates and trust relations.
Best regards
Unified Automation Support Team

Post Reply