General Certificate Topics

This article is relevant for all .Net products

OPC UA applications usually have an Application Instance Certificate.

1. If a signed or encrypted connection shall be established, then the client and server have to trust each other Application Instance Certificate (the certificates are in the trust lists).If that is the case, then the certificates are used to sign and/or encrypt the communication.

2. If a client and server want to establish a not signed and not encrypted communication with anonymous authentication, then the trust relationship between client and server may, but does not have to exist. Then the client can decide to not configure an application instance certificate at all, because no certificate is transported.

3. If the connection shall be established with an authentication token different to anonymous, then the server may demand a user token security policy.
This is used to encrypt a certain part of the token, in case of the UserNameIdentityToken, the transported password is encrypted, otherwise without having a message encryption, the password would be transported unencrypted and could be read from everybody who listens at the network traffic. For this user token encryption again the server and client certificates are required and transported between the applications.
The difference to case 1 is, that the certificates are not checked whether they are trusted, they are only needed to encrypt the user token at the connection establishment.

You need an Application Instance Certificate for your application. Please have a look at the batch files that we use to create the demo store certificates of our test and sample applications at <installdir>\Source\PKI\batches. You are free to modify them to your needs.
You also need to set a PKIStoreConfiguration that has at least a configured trust list location.
This trust list can be an empty folder, when your client does not have to trust any server certificate. Unfortunately this trust list has to be configured and has to exist in any case.</installdir>