An X.509 Certificate is a digital identity credential defined by the ITU-T X.509 standard that uses a trusted Certificate Authority (CA) signature to cryptographically bind a public key to an application instance. In OPC UA, this certificate is the foundational trust anchor presented during the Secure Channel handshake to prove an application's identity before any data exchange occurs.
Glossary
X.509 Certificate

What is an X.509 Certificate?
An X.509 certificate is a digital document conforming to the ITU-T X.509 standard that binds a public key to a specific identity, enabling trust establishment and encrypted communication in OPC UA and other network protocols.
The certificate contains structured fields including a Subject (the application's unique name), Issuer (the signing CA), a validity period, and the SubjectPublicKeyInfo. OPC UA applications use these certificates for asymmetric cryptography during session establishment, enabling mutual authentication and the secure negotiation of symmetric session keys for subsequent message encryption and signing.
Key Features of X.509 Certificates in OPC UA
X.509 certificates form the bedrock of trust in OPC UA, binding a public key to an application instance and enabling mutual authentication during the Secure Channel handshake.
Application Identity Binding
An X.509 certificate uniquely identifies an OPC UA Application Instance by binding its Application URI and hostname to a public key. This prevents a rogue application from impersonating a trusted server or client. During the handshake, the certificate's SubjectAltName extension is validated against the connecting application's declared URI, ensuring cryptographic proof of identity beyond simple IP address verification.
Certificate Trust Chain Validation
OPC UA clients and servers validate a peer's certificate by building a chain of trust to a locally stored Trust List. The process involves:
- Verifying the digital signature of the Issuer on the peer's certificate
- Checking that no certificate in the chain is expired or revoked
- Ensuring the BasicConstraints extension permits CA certificates to sign others
- Confirming the root Certificate Authority (CA) is explicitly trusted This chain-of-trust model eliminates the need for pre-shared secrets between every pair of applications.
Certificate Revocation Lists (CRLs)
A compromised or decommissioned application's certificate must be invalidated immediately. OPC UA supports Certificate Revocation Lists—signed files published by a CA that enumerate revoked certificate serial numbers. During validation, the receiving application checks the peer's certificate against the latest CRL. If a match is found, the connection is rejected, preventing a stolen private key from being used to establish a malicious Secure Channel.
Key Usage and Extended Key Usage
X.509 certificates contain critical extensions that constrain how the enclosed public key can be used. In OPC UA:
- KeyUsage must assert
digitalSignatureandkeyEncipherment - ExtendedKeyUsage (EKU) must include
serverAuthfor servers andclientAuthfor clients These constraints prevent an attacker from repurposing a certificate issued for a web server to authenticate an OPC UA session, enforcing strict role separation through cryptographic policy.
Certificate Store and Trust List Management
Each OPC UA application maintains a local Certificate Store divided into distinct directories:
- Trusted Certificates: Peers that are fully trusted to connect
- Issuer Certificates: Intermediate CAs used for chain building
- Revoked Certificates: Explicitly blocked certificates When an unknown certificate is received, it is placed in a Rejected store, and an administrator must manually move it to the Trusted list. This explicit trust model prevents automatic acceptance of untrusted peers.
Certificate Expiry and Renewal
Every X.509 certificate has a defined validity period with notBefore and notAfter dates. OPC UA applications must monitor certificate expiry and execute a renewal process before expiration to avoid unexpected connection failures. The GDS (Global Discovery Server) can automate this by pushing new certificates to managed applications using the Certificate Management service set, enabling zero-touch rotation of trust material across large fleets of industrial devices.
Frequently Asked Questions
Essential questions about the role, structure, and management of X.509 certificates within OPC UA secure communication.
An X.509 certificate is a digital document conforming to the ITU-T X.509 standard that binds a public key to a specific OPC UA application identity. It establishes trust during the Secure Channel handshake by enabling asymmetric cryptography. When a Client connects to a Server, they exchange their X.509 certificates. Each party validates the other's certificate by verifying the digital signature of the issuing Certificate Authority (CA) against its own Trust List. If the certificate chain is valid, has not expired, and has not been revoked, a secure, encrypted session is established. This mutual authentication prevents man-in-the-middle attacks and ensures that the client is communicating with the intended server, not a rogue imposter.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
X.509 certificates are the bedrock of OPC UA security. These related concepts define how certificates are created, validated, and managed within the trust framework.
Public Key Infrastructure (PKI)
The complete framework of hardware, software, policies, and procedures required to create, manage, distribute, use, store, and revoke digital certificates. In OPC UA, the PKI manages the lifecycle of X.509 certificates used for application authentication.
- Certificate Authority (CA): The trusted entity that issues and signs certificates
- Registration Authority (RA): Vets entities requesting certificates before the CA issues them
- Validation Authority (VA): Provides real-time certificate status information via OCSP or CRLs
- Certificate Repository: A secure database storing issued certificates and public keys
Certificate Chain of Trust
A hierarchical validation model where an end-entity certificate is trusted only if every intermediate CA certificate up to a trusted root CA is valid. OPC UA applications validate the full chain during the Secure Channel handshake.
- Root CA: The ultimate trust anchor, typically self-signed and stored in a Trust List
- Intermediate CA: Delegated authorities that issue end-entity certificates, forming the chain links
- End-Entity Certificate: The leaf certificate assigned to a specific OPC UA application instance
- Chain Validation: Verifying signatures, validity periods, and revocation status at every level
Certificate Revocation Lists (CRLs)
A signed list published by a CA that identifies certificates that have been revoked before their expiration date. OPC UA applications must check CRLs to reject compromised or decommissioned peers.
- Revocation Reasons: Key compromise, CA compromise, affiliation change, or cessation of operation
- Distribution Points: URLs embedded in the certificate's CRL Distribution Points extension
- Delta CRLs: Incremental updates listing only certificates revoked since the last full CRL issuance
- Validity Window: CRLs have a
thisUpdateandnextUpdatefield defining their freshness period
OPC UA Trust List
A server-managed directory of trusted X.509 certificates and Certificate Authorities that an OPC UA application uses to validate incoming connections. This is the practical implementation of the trust model.
- Trusted Certificates Store: Contains certificates of peer applications explicitly authorized to connect
- Trusted Issuers Store: Contains CA certificates whose issued certificates are automatically trusted
- Certificate Validation: Each incoming certificate is checked against these stores during handshake
- Automatic Trust: Certificates signed by a CA in the Issuers store are trusted without manual addition
Self-Signed vs. CA-Signed Certificates
Two distinct trust models for OPC UA application certificates. Self-signed certificates are signed by the application itself, while CA-signed certificates are issued by a centralized Certificate Authority.
- Self-Signed: Simpler for small, isolated networks; requires manual trust list management on every peer
- CA-Signed: Scalable for large deployments; trust is established by distributing only the root CA certificate
- Key Usage Extension: Defines whether the certificate can be used for digitalSignature, keyEncipherment, or both
- Extended Key Usage: Specifies the OPC UA application type — Server, Client, or both
Certificate Expiration and Renewal
Every X.509 certificate has a defined validity period bounded by notBefore and notAfter fields. Expired certificates cause immediate Secure Channel rejection, requiring proactive lifecycle management.
- Validity Period: Typically 1-5 years for OPC UA application certificates
- Graceful Renewal: OPC UA supports certificate renewal without disrupting active Sessions
- Expiration Monitoring: Global Discovery Servers can track certificate expiry across the entire plant floor
- Automatic Enrollment: Protocols like SCEP or EST automate certificate renewal for large fleets

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us