certificate folders for a server

Unified Architecture topics related to OPC UA Specification, compliant behavior and any technical issues of OPC UA, like Security, Information Model, Companion Specs DI, PLCopen, ADI, ...

Moderator: Support Team

Post Reply
tjohnston
Jr. Member
Jr. Member
Posts: 1
Joined: 19 Nov 2020, 16:01

certificate folders for a server

Post by tjohnston »

I have a server based on the server_cpp_demo example project in the cppsdkbundle. I changed it to use certificate-based authentication. I am manually configuring the client certificates with the server. I'll use the LDS server after i have this working.

I don't understand a behavior that I see. I can create a certificate using the UaExpert Manage Certificates dialog and copy the .der file to the server at locations [ConfigPath]/pkiuser/trusted/certs/ and also into folder [ConfigPath]/pkiserver/trusted/certs/. This configuration works.

But if I remove the .DER file from either one of those folders, authentication does not work. it must be in both folders for the client to authenticate.

I don't expect the server to require the same cert in two folders. What am i missing?

Note that in the future I plan to push certificates onto the server using GDS.

User avatar
Support Team
Hero Member
Hero Member
Posts: 2679
Joined: 18 Mar 2011, 15:09

Re: certificate folders for a server

Post by Support Team »

Hi tjohnston,

there are 2 different certificates stores you mentioned here:
/pkiserver/trusted/certs:
This is the store where you trust ApplicationInstance Certificates. So any UA Client that wants to connect with security needs to be trusted in that store.

/pkiuser/trusted/certs:
This is the store to trust used certificates. That means a client can have different users that authenticate. In this step the user gets one or more Roles assigned. A Role defines the permissions a user has for certain operations (e.g. Browse, Read, Write, ..). To authenticate UA defines different types of Tokens e.g. Username/Passwort, Certificate, issue token.

As long as you don't use user authentication you just need to put the UaExpert certificate in the /pkiserver/trusted/certs store.
Best regards
Unified Automation Support Team

Post Reply