The platform-specific certificate stores are implemented and maintained by the operating system or the runtime. As explained in OPC UA Certificate Stores, you specify the platform-specific certificate store by starting the certificate store path by either "LocalMachine\" or "CurrentUser\".
- If the string starts with "LocalMachine\" (case insensitive), it denotes a platform-specific certificate store for the local computer. Commonly used examples are: "LocalMachine\My", "LocalMachine\UA Applications" or "LocalMachine\UA Certificate Authorities".
- If the string starts with "CurrentUser\" (case insensitive), it denotes a platform-specific certificate store for the current user. Commonly used examples are: "CurrentUser\My" or "CurrentUser\Root".
The store name follows the prefix.
Some older code or documentation might use the term "Windows certificate store" for certificate stores that can, in fact, now be implemented also on other platforms, such as Linux or macOS. This is due to the Windows origins of such code or documentation. As QuickOPC now supports multiple development platforms and operating systems, in new documents we consistently use the term "platform-specific certificate store" wherever we refer to a general platform-provided certificate store concept. In new documents, we use the term "Windows certificate store" only to refer to a specific implementation of platform-specific certificate store on Windows operating system. Similarly, we would use "Linux certificate store" to refer to a platform-specific certificate store in a way that is implemented in Linux (which may differ by the particular .NET runtime, e.g. .NET Framework vs .NET).
.NET
// This example demonstrates how to place the client certificate in the platform-specific (Windows, Linux, ...) certificate
// store.
using System;
using OpcLabs.EasyOpc.UA;
using OpcLabs.EasyOpc.UA.Application;
using OpcLabs.EasyOpc.UA.OperationModel;
namespace UADocExamples._UAApplicationManifest
{
class InstanceOwnStorePath
{
public static void PlatformSpecific()
{
UAEndpointDescriptor endpointDescriptor =
"opc.tcp://opcua.demo-this.com:51210/UA/SampleServer";
// or "http://opcua.demo-this.com:51211/UA/SampleServer" (currently not supported)
// or "https://opcua.demo-this.com:51212/UA/SampleServer/"
// Set the application certificate store path, which determines the location of the client certificate.
// Note that this only works once in each host process.
EasyUAApplication.Instance.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath = "CurrentUser\\My";
// Do something - invoke an OPC read, to trigger creation of the certificate.
var client = new EasyUAClient();
try
{
client.ReadValue(endpointDescriptor, "nsu=http://test.org/UA/Data/ ;i=10853");
}
catch (UAException uaException)
{
Console.WriteLine("*** Failure: {0}", uaException.GetBaseException().Message);
}
// The certificate will be located or created in the specified platform-specific certificate store.
// On Windows, when viewed by the certmgr.msc tool, it will be under
// Certificates - Current User -> Personal -> Certificates.
Console.WriteLine("Finished.");
}
}
}
# This example demonstrates how to place the client certificate in the platform-specific (Windows, Linux, ...)
# certificate store.
# The QuickOPC package is needed. Install it using "pip install opclabs_quickopc".
import opclabs_quickopc
# Import .NET namespaces.
from OpcLabs.EasyOpc.UA import *
from OpcLabs.EasyOpc.UA.Application import *
from OpcLabs.EasyOpc.UA.OperationModel import *
endpointDescriptor = UAEndpointDescriptor('opc.tcp://opcua.demo-this.com:51210/UA/SampleServer')
# or 'http://opcua.demo-this.com:51211/UA/SampleServer' (currently not supported)
# or 'https://opcua.demo-this.com:51212/UA/SampleServer/'
# Set the application certificate store path, which determines the location of the client certificate.
# Note that this only works once in each host process.
EasyUAApplication.Instance.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath = 'CurrentUser\\My'
# Do something - invoke an OPC read, to trigger creation of the certificate.
client = EasyUAClient()
try:
value = IEasyUAClientExtension.ReadValue(client,
endpointDescriptor,
UANodeDescriptor('nsu=http://test.org/UA/Data/ ;i=10853'))
except UAException as uaException:
print('*** Failure: ' + uaException.GetBaseException().Message)
# The certificate will be located or created in the specified platform-specific certificate store.
# On Windows, when viewed by the certmgr.msc tool, it will be under
# Certificates - Current User -> Personal -> Certificates.
print('Finished.')
' This example demonstrates how to place the client certificate in the platform-specific (Windows, Linux, ...) certificate store.
Imports OpcLabs.EasyOpc.UA
Imports OpcLabs.EasyOpc.UA.Application
Imports OpcLabs.EasyOpc.UA.OperationModel
Namespace _UAApplicationManifest
Friend Class InstanceOwnStorePath
Public Shared Sub PlatformSpecific()
' Define which server we will work with.
Dim endpointDescriptor As UAEndpointDescriptor =
"opc.tcp://opcua.demo-this.com:51210/UA/SampleServer"
' or "http://opcua.demo-this.com:51211/UA/SampleServer" (currently not supported)
' or "https://opcua.demo-this.com:51212/UA/SampleServer/"
' Set the application certificate store path, which determines the location of the client certificate.
' Note that this only works once in each host process.
EasyUAApplication.Instance.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath = "CurrentUser\\My"
' Do something - invoke an OPC read, to trigger creation of the certificate.
Dim client = New EasyUAClient()
Try
client.ReadValue(endpointDescriptor, "nsu=http://test.org/UA/Data/ ;i=10853")
Catch uaException As UAException
Console.WriteLine("*** Failure: {0}", uaException.GetBaseException.Message)
End Try
' The certificate will be located or created in the specified platform-specific certificate store.
' On Windows, when viewed by the certmgr.msc tool, it will be under
' Certificates - Current User -> Personal -> Certificates.
Console.WriteLine("Finished.")
End Sub
End Class
End Namespace
COM
// This example demonstrates how to place the client certificate
// in the platform-specific (Windows, Linux, ...) certificate store.
class procedure InstanceOwnStorePath.PlatformSpecific;
var
Application: TEasyUAApplication;
Client: OpcLabs_EasyOpcUA_TLB._EasyUAClient;
ClientManagement: TEasyUAClientManagement;
Value: OleVariant;
begin
// The configuration object allows access to static behavior.
ClientManagement := TEasyUAClientManagement.Create(nil);
ClientManagement.Connect;
// Obtain the application interface.
Application := TEasyUAApplication.Create(nil);
// Set the application certificate store path, which determines the location of the client certificate.
// Note that this only works once in each host process.
Application.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath :=
'CurrentUser\My';
// Do something - invoke an OPC read, to trigger creation of the certificate.
Client := CoEasyUAClient.Create;
try
Value := Client.ReadValue(
//'http://opcua.demo-this.com:51211/UA/SampleServer',
//'https://opcua.demo-this.com:51212/UA/SampleServer/',
'opc.tcp://opcua.demo-this.com:51210/UA/SampleServer',
'nsu=http://test.org/UA/Data/ ;i=10853');
except
on E: EOleException do
begin
WriteLn(Format('*** Failure: %s', [E.GetBaseException.Message]));
end;
end;
// The certificate will be located or created in the specified platform-specific certificate store.
// On Windows, when viewed by the certmgr.msc tool, it will be under
// Certificates - Current User -> Personal -> Certificates.
WriteLn('Finished...');
FreeAndNil(Application);
FreeAndNil(ClientManagement);
end;
// This example demonstrates how to place the client certificate
// in the platform-specific (Windows, Linux, ...) certificate store.
// Obtain the application interface.
$Application = new COM("OpcLabs.EasyOpc.UA.Application.EasyUAApplication");
// Set the application certificate store path, which determines the location of the client certificate.
// Note that this only works once in each host process.
$Application->ApplicationParameters->ApplicationManifest->InstanceOwnStorePath = "CurrentUser\My";
// Do something - invoke an OPC read, to trigger creation of the certificate.
$Client = new COM("OpcLabs.EasyOpc.UA.EasyUAClient");
try
{
$value = $Client->ReadValue(
//"http://opcua.demo-this.com:51211/UA/SampleServer",
"opc.tcp://opcua.demo-this.com:51210/UA/SampleServer",
"nsu=http://test.org/UA/Data/ ;i=10853");
}
catch (com_exception $e)
{
printf("*** Failure: %s\n", $e->getMessage());
}
// The certificate will be located or created in the specified platform-specific certificate store.
// On Windows, when viewed by the certmgr.msc tool, it will be under
// Certificates - Current User -> Personal -> Certificates.
printf("Finished.\n");
Rem This example demonstrates how to place the client certificate
Rem in the platform-specific (Windows, Linux, ...) certificate store.
Private Sub InstanceOwnStorePath_PlatformSpecific_Command_Click()
OutputText = ""
' Obtain the application interface
Dim Application As New EasyUAApplication
' Set the application certificate store path, which determines the location of the client certificate.
' Note that this only works once in each host process.
Application.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath = "CurrentUser\My"
' Do something - invoke an OPC read, to trigger creation of the certificate.
Dim client As New EasyUAClient
On Error Resume Next
Dim value As Variant
value = client.ReadValue("opc.tcp://opcua.demo-this.com:51210/UA/SampleServer", "nsu=http://test.org/UA/Data/ ;i=10853")
If Err.Number <> 0 Then
OutputText = OutputText & "*** Failure: " & Err.Source & ": " & Err.Description & vbCrLf
Exit Sub
End If
On Error GoTo 0
' The certificate will be located or created in the specified platform-specific certificate store.
' On Windows, when viewed by the certmgr.msc tool, it will be under
' Certificates - Current User -> Personal -> Certificates.
OutputText = OutputText & "Finished..." & vbCrLf
End Sub
Rem This example demonstrates how to place the client certificate in the platform-specific (Windows, Linux, ...) certificate
Rem store.
Rem Note: COM is only available on Windows.
Option Explicit
WScript.Echo "Obtaining the application interface..."
Dim Application: Set Application = CreateObject("OpcLabs.EasyOpc.UA.Application.EasyUAApplication")
' Set the application certificate store path, which determines the location of the client certificate.
' Note that this only works once in each host process.
WScript.Echo "Setting the application certificate store path..."
Application.ApplicationParameters.ApplicationManifest.InstanceOwnStorePath = "CurrentUser\My"
WScript.Echo "Creating a client object..."
Dim Client: Set Client = CreateObject("OpcLabs.EasyOpc.UA.EasyUAClient")
' Do something - invoke an OPC read, to trigger some loggable entries.
WScript.Echo "Reading a value..."
On Error Resume Next
Dim value: value = Client.ReadValue("opc.tcp://opcua.demo-this.com:51210/UA/SampleServer", "nsu=http://test.org/UA/Data/ ;i=10853")
If Err.Number <> 0 Then
WScript.Echo "*** Failure: " & Err.Source & ": " & Err.Description
WScript.Quit
End If
On Error Goto 0
' The certificate will be located or created in the specified platform-specific certificate store.
' On Windows, when viewed by the certmgr.msc tool, it will be under
' Certificates - Current User -> Personal -> Certificates.
WScript.Echo "Finished."
Windows Certificate Stores (X509Store)
Windows has a support for certificate stores built into the operating system, and corresponding APIs and tools to access the certificate stores. On Windows, QuickOPC simply uses the mechanisms provided by Windows to support platform-specific certificate stores. For more information about Windows certificate stores, see e.g. Managing Certificates with Certificate Stores and How to Use the Certificates Console.
To manage the local computer certificates on Windows, type certlm.msc into the Windows search box, and press Enter. You will need administrative privileges to manage the local computer certificates.
To manage the certificates for the current user on Windows, type certmgr.msc into the Windows search box, and press Enter.
Note, however, that the logical store names displayed by the management console are not the same as the physical certificate store names, and that some stores may not be displayed at all.
OPC Foundation has a
UA Configuration Tool which can be used to manage the certificates related to OPC UA on Windows machines (both in the directory certificate stores, and in Windows certificate stores). QuickOPC includes this tool in the
Bonus Material part of its full installation for Windows. You can access the
UA Configuration Tool from the
Start menu (under QuickOPC program group), or using the QuickOPC
Launcher application.
Linux Certificate Stores
On Linux under .NET, the platform-specific certificate stores are implemented as follow:
- The certificates for the local computer are stored according to the rules valid on the particular Linux distro.
- The certificates for the current user are stored using an internal .NET runtime-specific mechanism (which currently appears to be a dedicated directory under ~/.dotnet, but that is considered an implementation detail that may change in future versions).
For more information, see e.g. Provide a way for sysadmins to manage the .Net Core "My" certificate store on non-Windows platforms .
See Also
External
Examples - OPC UA Administration
