OPC Server Certificate Expiry|OPC UA Standard|Forum|OPC Foundation

Forum Scope


Forum Options

Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
OPC Server Certificate Expiry
Vinod Pydi
Forum Posts: 16
Member Since:
sp_UserOfflineSmall Offline
01/22/2024 - 09:59
sp_Permalink sp_Print sp_EditHistory


Could you please help me on the certificate expiry. We have followed the folder structure as per the standards and CTT tests.

When OPC server starts -  pki folder structure is created and our DA server certificate will create automatically and will save in the "OWN" folder and "trusted" folder. 

Question is when OPC DA certificate expires after 1 year - i have the below questions

  • Is it mandatory to restart the OPC Server application to regenerate the new certificates from the stack?
  • Do we need to delete the certificate from the "OWN" folder after the expiry and then restart if it is mandatory?
  • How can we test the expiry of the certificate (if we change the system time and date intentionally will it work? hope it will give us error stating "Bad certificate time invalid"?)

Please help us to answer to these question to go forward. Thank you.



Vinod Pydi

Alexander Allmendinger






Forum Posts: 66
Member Since:
sp_UserOfflineSmall Offline
01/23/2024 - 00:46
sp_Permalink sp_Print

Hi Vinod,

the answers to your question regarding the certificates rather depend on your product strategy and less on the OPC UA standard. How you generate new certificates is up to the application. You can generate new ones by deleting the files and restarting the application, you can provide status notification about the expiration and ask for user input to generate and exchange them or you can use the certificate management interfaces describe in the Global Services OPC UA specification (Part 12).

In general from my experience automatically exchanging the certificates by create new ones without interaction with the operator of the application can cause problems. Clients will loose their connections to the server and will need to be reconfigured. If this happens without warnings beforehand the operator may end up with unexpected down-times of his systems.

From that point of view I would suggest to:

1. Provide warnings to the operator already before the certificate expires

2. Continue to use the expired certificate until the operator tells the application to create a new certificate or does configure a newer one they generated themselves

Of course this will require a certificate management user interface and ideally the support of the certificate management interface of OPC UA to centralize these activities by the operator.

Regarding your other questions, I can't really answer them. Whether you will need to delete the old certificates depend on the your applications certificate management. Some will use certificates with certain file names other load the certificate based on the Thumbprint and others use the currently valid certificate with a desired Subject Name. You'll need to check how your application loads the certificate or get in contact with the developers of the SDK/Toolkit your are using.

Alexander Allmendinger

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 20
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1347
Posts: 4567