QuickOPC User's Guide and Reference
OPC UA Platform-specific Certificate Stores
View with Navigation Tools
Fundamentals > Security > OPC UA Client-Server Security > OPC UA Certificate Stores > OPC UA Platform-specific Certificate Stores
In This Topic

The platform-specific certificate stores are implemented and maintained by the operating system or the runtime. As explained in OPC UA Certificate Stores, you specify the platform-specific certificate store by starting the certificate store path by either "LocalMachine\" or "CurrentUser\".

The store name follows the prefix.

Some older code or documentation might use the term "Windows certificate store" for certificate stores that can, in fact, now be implemented also on other platforms, such as Linux or macOS. This is due to the Windows origins of such code or documentation. As QuickOPC now supports multiple development platforms and operating systems, in new documents we consistently use the term "platform-specific certificate store" wherever we refer to a general platform-provided certificate store concept. In new documents, we use the term "Windows certificate store" only to refer to a specific implementation of platform-specific certificate store on Windows operating system. Similarly, we would use "Linux certificate store" to refer to a platform-specific certificate store in a way that is implemented in Linux (which may differ by the particular .NET runtime, e.g. .NET Framework vs .NET).

 

.NET

// This example demonstrates how to place the client certificate in the platform-specific (Windows, Linux, ...) certificate
// store.

using System;
using OpcLabs.EasyOpc.UA;
using OpcLabs.EasyOpc.UA.Application;
using OpcLabs.EasyOpc.UA.OperationModel;

namespace UADocExamples._UAApplicationManifest
{
    class InstanceOwnStorePath
    {
        public static void PlatformSpecific()
        {
            UAEndpointDescriptor endpointDescriptor =
                "opc.tcp://opcua.demo-this.com:51210/UA/SampleServer";
            // or "http://opcua.demo-this.com:51211/UA/SampleServer" (currently not supported)
            // or "https://opcua.demo-this.com:51212/UA/SampleServer/"

            // Set the application certificate store path, which determines the location of the client certificate.
            // Note that this only works once in each host process.
            EasyUAApplication.Instance.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath = "CurrentUser\\My";

            // Do something - invoke an OPC read, to trigger creation of the certificate.
            var client = new EasyUAClient();
            try
            {
                client.ReadValue(endpointDescriptor, "nsu=http://test.org/UA/Data/ ;i=10853");
            }
            catch (UAException uaException)
            {
                Console.WriteLine("*** Failure: {0}", uaException.GetBaseException().Message);
            }

            // The certificate will be located or created in the specified platform-specific certificate store.
            // On Windows, when viewed by the certmgr.msc tool, it will be under
            // Certificates - Current User -> Personal -> Certificates.

            Console.WriteLine("Finished.");
        }
    }
}

COM

// This example demonstrates how to place the client certificate
// in the platform-specific (Windows, Linux, ...) certificate store.

class procedure InstanceOwnStorePath.PlatformSpecific;
var
  Application: TEasyUAApplication;
  Client: OpcLabs_EasyOpcUA_TLB._EasyUAClient;
  ClientManagement: TEasyUAClientManagement;
  Value: OleVariant;
begin
  // The configuration object allows access to static behavior.
  ClientManagement := TEasyUAClientManagement.Create(nil);
  ClientManagement.Connect;

  // Obtain the application interface.
  Application := TEasyUAApplication.Create(nil);

  // Set the application certificate store path, which determines the location of the client certificate.
  // Note that this only works once in each host process.
  Application.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath :=
    'CurrentUser\My';

  // Do something - invoke an OPC read, to trigger creation of the certificate.
  Client := CoEasyUAClient.Create;
  try
    Value := Client.ReadValue(
      //'http://opcua.demo-this.com:51211/UA/SampleServer',
      //'https://opcua.demo-this.com:51212/UA/SampleServer/',
      'opc.tcp://opcua.demo-this.com:51210/UA/SampleServer',
      'nsu=http://test.org/UA/Data/ ;i=10853');
  except
    on E: EOleException do
    begin
      WriteLn(Format('*** Failure: %s', [E.GetBaseException.Message]));
    end;
  end;

  // The certificate will be located or created in the specified platform-specific certificate store.
  // On Windows, when viewed by the certmgr.msc tool, it will be under
  // Certificates - Current User -> Personal -> Certificates.

  WriteLn('Finished...');

  FreeAndNil(Application);
  FreeAndNil(ClientManagement);
end;

 

Windows Certificate Stores (X509Store)

Windows has a support for certificate stores built into the operating system, and corresponding APIs and tools to access the certificate stores. On Windows, QuickOPC simply uses the mechanisms provided by Windows to support platform-specific certificate stores. For more information about Windows certificate stores, see e.g. Managing Certificates with Certificate Stores and How to Use the Certificates Console.

To manage the local computer certificates on Windows, type certlm.msc into the Windows search box, and press Enter. You will need administrative privileges to manage the local computer certificates.

To manage the certificates for the current user on Windows, type certmgr.msc into the Windows search box, and press Enter.

Note, however, that the logical store names displayed by the management console are not the same as the physical certificate store names, and that some stores may not be displayed at all.

OPC Foundation has a UA Configuration Tool which can be used to manage the certificates related to OPC UA on Windows machines (both in the directory certificate stores, and in Windows certificate stores). QuickOPC includes this tool in the Bonus Material part of its full installation for Windows. You can access the UA Configuration Tool from the Start menu (under QuickOPC program group), or using the QuickOPC Launcher application.

Linux Certificate Stores

On Linux under .NET, the platform-specific certificate stores are implemented as follow:

For more information, see e.g. Provide a way for sysadmins to manage the .Net Core "My" certificate store on non-Windows platforms .

See Also

External

Examples - OPC UA Administration