Certificates are digitally signed data structures that contain a Public Key and the identity of a OPC UA Application. All SecurityProtocols use X.509 v3 Certificates (see X.509 v3) encoded using the DER format (see X690). Certificates used by OPC UA applications shall also conform to RFC 5280 which defines a profile for X.509 v3 Certificates when they are used as part of an Internet based application.

The ServerCertificate and ClientCertificate parameters used in the abstract OpenSecureChannel service are instances of the ApplicationInstance Certificate DataType. Clause 6.2.2 describes how to create an X.509 v3 Certificate that can be used as an ApplicationInstance Certificate.

Certificates are also used as form of UserIdentityToken which identifies a user associated with a Session. Clause 6.2.3 describes Certificates used as UserIdentityTokens.