---
title: "OPC-UA Certificates"
description: "Managing OPC-UA client certificates for secure connections"
source_url: https://ai-ops.com/docs/protocols/opc-ua-certificates
---

# OPC-UA Certificates

When connecting to an OPC-UA server with a security mode other than **None**, Koios uses X.509 certificates to establish trust. The server verifies Koios's client certificate, and in some cases Koios verifies the server's certificate as well.

Certificates are only required when the Security Mode is set to **Sign** or **Sign & Encrypt**. If you're connecting with Security Mode **None**, no certificate is needed.

Koios manages certificates centrally — you create them once and assign them to any number of OPC-UA devices.

## Managing Certificates

The certificate manager is found on the **OPC-UA protocol detail page** under the **Certificates** tab. Navigate to **Protocols** and select **OPC-UA** to access it.

The certificates table shows all available client certificates with their name, common name, expiry date, the number of devices using each one, and their current status.

### Certificate Status

Each certificate shows one or more status badges:

| Badge | Meaning |
|-------|---------|
| **Valid** | The certificate is within its validity period and ready to use |
| **Expired** | The certificate has passed its expiry date and should be regenerated or replaced |
| **Missing Files** | The certificate or private key file is not present on disk — downloads will be unavailable |

One certificate is always marked as the **default** (indicated by a star icon). Devices that don't have a specific certificate assigned will use the default certificate automatically.

## Generating a Certificate

The simplest way to get started is to let Koios generate a self-signed certificate.

1. On the Certificates tab, click **Generate**
2. Enter a **Name** for the certificate (e.g. "Plant A Certificate")
3. Optionally enter a **Description**
4. Optionally enter a **Hostname** — this is used in the certificate's Common Name and Application URI. If left blank, Koios uses the system hostname
5. Click **Generate**

The new certificate appears in the table immediately and can be assigned to devices. Generated certificates are self-signed — most OPC-UA servers require you to explicitly trust them before they'll accept a secure connection (see [Establishing Trust](#establishing-trust-with-opc-ua-servers) below).

## Uploading a Certificate

If you have an existing certificate and private key (e.g. issued by your organization's CA), you can upload them.

1. On the Certificates tab, click **Upload**
2. Enter a **Name** for the certificate
3. Optionally enter a **Description**
4. Select the **Certificate File** — DER or PEM encoded X.509 certificate (`.der`, `.pem`, `.crt`, or `.cer`)
5. Select the **Private Key File** — PEM encoded private key (`.pem` or `.key`)
6. Click **Upload**

## Viewing Certificate Details

Click any row in the certificates table to open a detail drawer showing:

- **Common Name** — the X.509 subject CN
- **Organization** — the organization field, if present
- **Application URI** — the OPC-UA application URI embedded in the certificate
- **Validity** — the "Valid From" and "Valid Until" dates
- **Assigned Devices** — how many devices are using this certificate

### Downloading Certificate Files

If the certificate files exist on disk, the detail drawer shows download buttons:

- **Certificate (.der)** — the public certificate file, which you may need to import into OPC-UA servers for trust
- **Private Key (.pem)** — the private key file. Only download this when necessary (e.g. for backup) — anyone with the private key can impersonate Koios to your OPC-UA servers.

## Regenerating a Certificate

If a certificate has expired or been compromised, you can regenerate it in place. This creates a new key pair and certificate while keeping the same name and device assignments.

1. Open the certificate's detail drawer
2. Click **Regenerate Certificate**
3. Confirm the action

> [!WARNING] Servers must re-trust the new certificate
> After regenerating, any OPC-UA server that trusted the previous certificate will reject connections until you add the new certificate to its trust list. Plan regeneration during a maintenance window if possible.

## Deleting a Certificate

1. Open the certificate's detail drawer
2. Click **Delete Certificate** (this button is hidden for the default certificate — the default cannot be deleted)
3. Confirm the action

Devices that were assigned to the deleted certificate will fall back to the default certificate.

## Assigning Certificates to Devices

Certificates are assigned on each OPC-UA device's **Configuration** tab.

1. Navigate to the device's detail page
2. On the Configuration tab, set the **Security Mode** to **Sign** or **Sign & Encrypt** — the certificate selector appears
3. Choose a certificate from the **Client Certificate** dropdown, or leave it blank to use the default
4. You can also click the **+** button next to the dropdown to generate a new certificate without leaving the device page
5. **Save** the configuration

## Establishing Trust with OPC-UA Servers

Most OPC-UA servers won't accept a secure connection from an unknown client. After generating or uploading a certificate in Koios, you typically need to:

1. **Download** the Koios client certificate (`.der` file) from the detail drawer
2. **Import** it into the OPC-UA server's trusted certificates folder — the exact location depends on the server software
3. **Restart** the OPC-UA server if required (some servers pick up new trusted certificates automatically)

Some servers support an "accept on first connect" workflow where they automatically move rejected certificates to a pending folder. In that case:

1. Trigger a connection attempt from Koios — either **enable the device** or click **Test** on the device's Configuration tab. The connection will fail with a message like "Certificate rejected by server"
2. On the OPC-UA server, find the rejected certificate and move it to the trusted folder
3. Koios will automatically connect on the next scan cycle if the device is enabled. If you used the Test button, click Test again to verify

The exact trust process varies by OPC-UA server software (Kepware, Prosys, Unified Automation, Siemens, etc.). Refer to your server's documentation for details on managing trusted client certificates.