OPC UA uses certificates to implement security. A certificate is a file that contains identifying information for an OPC server or client, such as the application, machine name, validity period, and so on, along with a private key and public key. When an OPC UA client and server negotiate a connection, they exchange public keys. Each of them uses the key to validate the other's certificate, and if successful, a connection is made.
There are two ways that certificates can be created:
Issued by a Certificate Authority (CA), an independent administrator or organization that verifies the information in the certificate is correct and hasn't been changed, and provides a digital signature to that effect.
Self-signed, where the administrators of the OPC UA servers or clients need to validate the contents of the certificate themselves.
The DataHub program provides a self-signed certificate, which gets created when the software is first installed. This one certificate is used for both the DataHub OPC UA server and OPC UA client implementations. The DataHub program also supports the ability to use a certificate from a CA, if desired.
Certificates are stored on a system in a certificate store. In Windows, there is a registry-based store called the Windows Certificate Store, and all systems have a directory that stores certificates in a file called the OpenSSL Certificate Store. In addition to these, the DataHub certificate management feature maintains a private certificate store where you can keep your DataHub-related OPC UA certificates separate from other certificates on your machine.
On the initial connection between an OPC UA client and server, the server checks to see if the client's certificate is available in the certificate store. If not, the server may or may not allow the client to connect. A DataHub instance can allow a client to connect temporarily by flagging its certificate as "Temporary", which can subsequently be changed to "Rejected" or "OPC UA client" (accepted) as appropriate.