The major difference between CA signed and self-signed Certificate in an OPC UA installation is the effort required to deploy and maintain the Certificates. The choice of when to use a CA issued Certificate versus a self-signed Certificate depends on the installation and site requirements.
Figure 10 illustrates the work that is required to maintain the trust list for self-signed Certificates.
Figure 10 - Manual Certificate handling
An administrator would be required to copy the Public Key associated with all Client applications to all Server applications that they may need to communicate with. In addition, the administrator would be required to copy the Public Key associated with all Server applications to all Client applications that may need to communicate with them. As the number of Servers and Clients grows, the administration effort can become too burdensome. In addition, a Certificate has a lifetime and will need to be replaced with an updated Certificate at some point in time. This will require that new Private Keys and Public Keys be generated and all of the Public Keys to be copied again. In very small installations, explicitly listing what Clients a Server trusts by installing the Public Key of the Client Application Instance Certificate in the Trusted Certificate store of the Server may be acceptable.