OPC UA Applicationstypically have ApplicationInstanceCertificatesto provide application-level security. They are used for establishing a secure connection using Asymmetric Cryptography.These ApplicationInstanceCertificatesare Certificateswhich are X.509 v3 Certificatesand contain a list of data items that are defined in OPC 10000-4and completely described in OPC 10000-6. These data items describe the ApplicationInstancethat the Certificateis assigned to.

The Certificatesinclude a Digital Signatureby the generator of the Certificate. This Digital Signaturecan be self-signed (The signature is generated by the Private Keyassociated with X.509 v3 Certificatethat is the ApplicationInstanceCertificate) or can be signed by a Certificate Authority (The signature is generated by the Private Keyassociated the X.509 v3 Certificateof the CA). Both types of Certificatesprovide the same level of security and can be used in Asymmetric Cryptography. The Signaturescan be generated using a variety of algorithms, where the algorithms provide different levels of security (128 bit, 256 bit, 512 bit ...). The algorithm that is required for signing a certificate is specified as part of the Security Policy. Serversand Clientsshould be able to support more than one certificate since more than one certificate may be required depending on the Security Profilesthat are being supported.

Asymmetric Cryptographymakes use of two keys – a Private Keyand a Public Key. An OPC UA Applicationwill have a list of trusted Public Keysthat represent the applications it trusts. ThePrivate Key and the list of trusted Public Keysare stored either in the Windows Registry or a file folder ideally secured using a secure element (e.g. TPM). The OPC UA Applicationcan use a Public Key, from its list, to validate that the signature on a received connection request was generated by the corresponding Private Key. An application can also use the Public Keyof the target application to encrypt data, which can only be decrypted using the Private Keyof the target application.