The major difference between CA signed and self-signed Certificate in an OPC UA installation is the effort required to deploy and maintain the Certificates. The choice of when to use a CA issued Certificate versus a self-signed Certificate depends on the installation and site requirements.
Figure 11 illustrates the work that is required to maintain the TrustList for self-signed Certificates.
Figure 11 – Manual Certificate handling
An administrator would be required to copy the Public Key associated with all Client applications to all Server applications that they need to communicate with. In addition, the administrator would be required to copy the Public Key associated with all Server applications to all Client applications that need to communicate with them. As the number of Servers and Clients grows, the administration effort can become too burdensome. In addition, a Certificate has a lifetime and will need to be replaced with an updated Certificate at some point in time. This will require that new Private Keys and Public Keys be generated and all of the Public Keys to be copied again. In very small installations, explicitly listing what Clients a Server trusts by installing the Public Key of the Client ApplicationInstanceCertificate in the Trusted Certificate store of the Server could be acceptable.