certificate folders for a server

Unified Architecture topics related to OPC UA Specification, compliant behavior and any technical issues of OPC UA, like Security, Information Model, Companion Specs DI, PLCopen, ADI, ...

Moderator: Support Team

Post Reply
Jr. Member
Jr. Member
Posts: 1
Joined: 19 Nov 2020, 16:01

certificate folders for a server

Post by tjohnston »

I have a server based on the server_cpp_demo example project in the cppsdkbundle. I changed it to use certificate-based authentication. I am manually configuring the client certificates with the server. I'll use the LDS server after i have this working.

I don't understand a behavior that I see. I can create a certificate using the UaExpert Manage Certificates dialog and copy the .der file to the server at locations [ConfigPath]/pkiuser/trusted/certs/ and also into folder [ConfigPath]/pkiserver/trusted/certs/. This configuration works.

But if I remove the .DER file from either one of those folders, authentication does not work. it must be in both folders for the client to authenticate.

I don't expect the server to require the same cert in two folders. What am i missing?

Note that in the future I plan to push certificates onto the server using GDS.

User avatar
Support Team
Hero Member
Hero Member
Posts: 2607
Joined: 18 Mar 2011, 15:09

Re: certificate folders for a server

Post by Support Team »

Hi tjohnston,

there are 2 different certificates stores you mentioned here:
This is the store where you trust ApplicationInstance Certificates. So any UA Client that wants to connect with security needs to be trusted in that store.

This is the store to trust used certificates. That means a client can have different users that authenticate. In this step the user gets one or more Roles assigned. A Role defines the permissions a user has for certain operations (e.g. Browse, Read, Write, ..). To authenticate UA defines different types of Tokens e.g. Username/Passwort, Certificate, issue token.

As long as you don't use user authentication you just need to put the UaExpert certificate in the /pkiserver/trusted/certs store.
Best regards
Unified Automation Support Team

Post Reply