The major difference between CA signed and self-signed Certificatein an OPC UA installation is the effort required to deploy and maintain theCertificates. The choice of when to use a CA issued Certificateversus a self-signed Certificatedepends on the installation and site requirements.

Figure 9illustrates the work that is required to maintain the TrustListfor self-signed Certificates.

image012.png

Figure 9– Manual Certificate handling

An administrator would be required to copy the Public Keyassociated with all Clientapplications to all Serverapplications that they may need to communicate with. In addition, the administrator would be required to copy the Public Keyassociated with all Serverapplications to all Clientapplications that may need to communicate with them. As the number of Serversand Clientsgrows, the administration effort can become too burdensome. In addition, a Certificatehas a lifetime and will need to be replaced with an updated Certificateat some point in time. This will require that new Private Keysand Public Keysbe generated and all of the Public Keysto be copied again. In very small installations, explicitly listing what Clientsa Servertrusts by installing the Public Keyof the Client ApplicationInstanceCertificatein the Trusted Certificatestore of the Servermay be acceptable.