Overview =========================== OPC UA applications typically have Application Instance Certificates to provide application level security. They are used for establishing a secure connection using Asymmetric Cryptography. These Application Instance Certificates are Digital Certificates which are X.509 Certificates and contain a list of data items that are defined in the OPC UA specification Part 4. hese data items describe the Application Instance that the Digital Certificate is assigned to. The Digital Certificates include a Digital Signature by the generator of the Certificate. This Digital Signature can be self-signed (The signature is generated by the Private Key associated with X.509 Certificate that is the Application Instance Certificate) or can be signed by a Certificate Authority (The signature is generated by the Private Key associated the X.509 Certificate of the CA). Both types of Certificates provide the same level of security and can be used in Asymmetric Cryptography. The Signatures can be generated using a variety of algorithms, where the alg orithms provide different levels of security (128 bit, 256 bit, 512 bit ...). The algorithm that is required for signing a certificate is specified as part of the Security Policy. Servers and Clients should be able to support more than one certificate since more than one certificate may be required depending on the Security Profiles that are being supported. Asymmetric Cryptography makes use of two keys – a Private Key and a Public Key. An application will have a list of trusted Public Keys that represent the applications it trusts. This list of trusted Public Keys is stored either in the Windows Registry or a file folder. It will also have a Private Key that corresponds to its Application Instance Certificate. The application can use a Public Key, from its list, to validate that the signature on a received connection request was generated by the corresponding Private Key. An application can also use the Public Key of the target application to encrypt data, which can only be decrypted using t he Private Key of the target application.