OPC UA Client Driver

Not counted towards your tag license limit.

UA stands for "Unified Architecture". The OPC UA Client driver interfaces to an OPC UA server running on either the local or another computer.

OPC UA is an alternative communication protocol to OPC CLASSIC, which used DCOM for communication between a client and a server. VTScada still supports the existing OPC CLASSIC driver.

Unlike OPC CLASSIC, OPC UA, does not rely on third-party "OPC-tunnellers" to act as proxies between the client and server. An OPC UA server may run on a remote computer or be embedded in a smart device and can run on a variety of operating systems. Because there are a limited number of OPC UA products, a tunneller can be used to connect OPC UA clients to an OPC CLASSIC server.


If both client and server are using OPC UA, the only additional configuration necessary is to ensure that firewalls allow the correct ports to be opened and that trust is established between the server and client. The port(s) in use are defined by the OPC UA server.

The configuration option, "Allow unsecured connections", permits the driver to use a connection endpoint with a security policy of #None where no messages are signed or encrypted (integrity and confidentiality).
But a trusted certificate is required at both ends to verify identity. VTScada ALWAYS requires a trusted server certificate.

Unlike many other drivers, the OPC UA Client Driver does not use a Port tag to communicate with its device (OPC UA server). Due to the nature of the binary protocol, the OPC UA Client Driver has port handling built-in.

If VTScada and the UA server are out of time synchronization by more than 5 minutes, the connection will not be made. The driver will return a 520 error, indicating a large time differential.

Do not proceed with OPC UA Client Driver configuration until you have read the related information in the topic, OPC UA Support & Security

The OPC UA Client Driver Statistics Dialog widget provides an "Endpoints" button, which when pressed, will display the list of OPC UA Server Endpoint information that is retrieved by the driver and held internally. This information may be helpful when trying to determine which endpoint to use when connecting to your server.

Certificate Grids and Controls

Several tabs in the OPC UA Client Driver configuration include a certificate grid. It is important that you understand this tool before proceeding with configuration of the client driver. In particular, take time to review the information in the topic Certificate Name Description.


A certificate grid displays the collection of certificates in a certificate store (which store depends on which grid is displayed) and a set of action buttons.

Certificate Name

The leftmost grid column shows the "Friendly Name" of the certificate, if it has one, and the "Common Name" of the certificate if it does not. Details follow in Certificate Name Description.

Issuer Name

Shows the issuer of the certificate. Self-signed certificates often have the same name as the certificate Common Name, while certificates issued by a Certificate Authority (whether in-house or external) bear the issuer’s name.


Indicates whether the certificate is valid for the purpose intended. This means slightly different things on different grids.

On the Connection tab or Client Certificate tab, a certificate is considered valid if it still within its validity period. Certificates in the same certificate store that are inappropriate for use are not displayed. Although a certificate might not be marked as valid, it may still be allowed for use by the server or client.

Note that on the Server Certificate tab, the Valid column means that the certificate is within its validity period and the name on the certificate matches the name of the server supplied on the Connection tab Endpoint URL field. This helps you spot if the server responding to the configured Endpoint URL holds a valid certificate for that server.


The rightmost column displays the SHA-1 "thumbprint" of the certificate. This is the same thumbprint as is shown in the Windows’ certificate dialog displayed by double-clicking a certificate file. This allows identification of certificates that may appear similar in the certificate grid.

Control buttons

Create New Button

The "Create New" button will generate a self-signed certificate and place it in the store being displayed on the certificate grid. Self-signed certificates won't be trusted by other hosts unless the certificate is manually "trusted", which is typically done using the UA server configuration tools.

Click this button to display the following dialog, the content of which will be incorporated in the new certificate.

Certificate Name Description

The certificate name is the "Friendly Name" of the certificate. After a certificate is created, the Common Name (CN) cannot be changed, but the Friendly Name can using the Microsoft Management Console (MMC).

The Friendly Name is what the OPC UA Client Driver holds as a parameter to its tag and therefore, is propagated across computers participating in the distributed application.

Consider the case of a pair of I/O servers (primary and backup). Normally, the primary will connect to the OPC UA server and retrieve data. To do this (assuming the driver is not running in unsecured mode) it needs to provide a Client Certificate to the server. It uses its "ClientCertificateName" tag parameter to find the certificate it should supply. As the backup I/O server contains an exact copy of the tag, it too has the same tag parameter and will therefore look for a certificate of that name in its certificate store.

There is no issue if you use the same certificate (and private key) on both I/O servers (a wildcard certificate). However, you can use different certificates so long as they have the same Friendly Name, as this is the key used by the OPC UA Client Driver to locate its transport certificate. The OPC UA server must trust both client certificates.

For this reason, for the Client Certificate (transport certificate), the Certificate Name field is only enabled if the OPC UA Client Driver does not have any value in its ClientCertificateName parameter. This happens only when you first generate a self-signed certificate for this tag. From that point onwards, generating a new self-signed client transport certificate via this dialog will have the tag parameter value displayed in the Certificate Name field and will not be modifiable.

You will also have to trust the backup client certificate on the OPC UA server and trust the server certificate on the VTScada client / backup server.

Certificate Subject

The certificate subject should be modified. It is the Distinguished Name of the certificate and defaults to "CN=<driver name>", setting the Common Name to the name of the driver tag.

Change the certificate subject to the fully qualified domain name (FQDN) of the local machine, which should be the name to which the server resolves the connection.

Key Strength

This allows you to set the key strength (number of bits) in the asymmetric key pair that will be generated for this certificate. Currently, the dialog only permits RSA keys (that is all the current OPC UA servers support) of key strengths between 2048 and 4096 bits.

The client and server certificates can have different key strengths.

VTScada will only generate RSA public/private key pairs that are classed as acceptable by:


This mandates at least "112 bits of security", which means an RSA key length of at least 2048 bits.

Referring to Table 4 within the following document, this is sufficient up to the year 2030.



The key validity period can be set to be between 30 and 36500 days (approximately one month to 10 years).

When a certificate expires, any entity receiving that certificate should decline it. A shorter validity period may seem inconvenient, but this reduces the length of time that a compromised or stolen certificate remains undetected.

Subject Alternative Names (SAN)

Supply any DNS (Domain Name Service) names that the client computer may be known by. These will be incorporated into the certificate extended properties Subject Alternative Name field as DNS entries. Enter only the DNS values, excluding prefixes. For example, entering "host.example.com" will result in a SAN entry of "DNS Name=host.example.com".

The certificate will also have an automatically-created URL and a DNS entry. The URL is composed from the application GUID and is unique to this application. The DNS entry contains the host name of the workstation on which you are creating this certificate. (Not the fully qualified domain name, FQDN.)

Some OPC UA servers may require that one of the DNS names provided can be matched to a white list, therefore this field gives you an opportunity to provide whatever DNS name is required. The FQDN, as provided in the Certificate Subject, should be included.

Enter each Subject Alternative Name (DNS) on a separate line.

Use Selected button

Enabled only when there are two ore more certificates to choose from.

Import Button

Use to import a certificate and private key from a Personal Information Exchange format file (.PFX or .P12). This file format is commonly used to securely transport certificates and private keys between computers.

The Microsoft Management Console’s Certificate Management snap-in is one way to export certificates and their private key to such files.

On clicking the button, the following dialog is displayed, which allows you to select the file and supply the password associated with the private key (which is encrypted within the file).

Remove Button

Removes the currently selected certificate (and its private key) from the grid and the associated certificate store.

After removal, a certificate can be restored only if you have a backup of that certificate in a suitable format (e.g. a .PFX or .P12 file). Confirmation is required before the certificate is deleted.

Server List

Select (or create) a named server list. (Driver Server Lists) Servers for the list must be defined using the Application Configuration dialog, as described in Servers for Specific Services. Smaller sites that do not have multiple servers, or that use only the default server list, need not configure this field.

OPC UA Client Driver properties Connection tab

Use this tab to supply the address of the server.


Endpoint URL

The address of a server using the OPC UA binary encoding is known as an Endpoint URL and is expressed as:


(see: Server Addressing in the topic, OPC UA Addressing)

Allow unsecured connections

The check box to allow unsecured connections should be selected only when the security of the connection is otherwise guaranteed by external means such as a VPN between the VTScada system and the OPC UA server.

The configuration option, "Allow unsecured connections", permits the driver to use a connection endpoint with a security policy of #None where no messages are signed or encrypted (integrity and confidentiality).
But a trusted certificate is required at both ends to verify identity. VTScada ALWAYS requires a trusted server certificate.


Check this to have I/O tags attached to the driver hold their last value in the event of a communication failure. If not checked, tags will have their value set to invalid on a communication failure.


OPC UA Client Driver properties Authentication tab

Refer to OPC UA Support & Security for more detail on required security configuration.


Fields within this tab are enabled according to your selection of authentication method:


When authentication is set to Anonymous, no other fields are enabled.


Username and Password fields are enabled.


Control buttons and certificate grid are enabled.


A certificate grid displays the collection of certificates in a certificate store (which store depends on which grid is displayed) and a set of action buttons. Because a certificate grid appears on more than one tab, it is described at the beginning of this topic rather than within the tab description.


OPC UA Client Driver properties Client Certificate tab

Refer to OPC UA Support & Security for more detail on required security configuration.


Contains a certificate grid and associated buttons, similar to that in the Authentication tab. (See: Certificate Grids and Controls)

Use this to choose the certificate that the OPC UA Client Driver will supply to the server for transport security. It displays only valid certificates of the appropriate extended key usage type (that is, suitable for client authentication) that are in the current user’s Trihedral OPC UA Client certificate store. That certificate store is created by the OPC UA Driver for this purpose.


OPC UA Client Driver properties Server Certificate tab

Refer to OPC UA Support & Security for more detail on required security configuration.


This tab holds a pair of certificate grids showing trusted and untrusted server-supplied transport security certificates, if any. (See: Certificate Grids and Controls) The certificates displayed are those in the current user’s Trihedral OPC UA Trusted and Trihedral OPC UA Untrusted certificate stores.

The server provides its certificate during establishment of a connection with the client. The OPC UA Client Driver will only allow the connection to be established if the certificate is trusted.

If the server’s certificate is derived from a trusted certificate authority (in other words, there is a complete chain of trust from the server’s certificate through any intermediate certificates to the trusted certificate authority’s certificate), the certificate will be automatically trusted and not placed in either of these stores.

If the server certificate is not trusted by virtue of such a chain of trust and is not in the Trihedral OPC UA Trusted certificate store, it is automatically placed in the Trihedral OPC UA Untrusted store and appears in this tab’s Untrusted Certificates grid. From there you can elect to trust that certificate, using the Add Trust button. This will remove the certificate from the Untrusted Certificates and place it in the Trusted Certificates grid (and corresponding store).

If the OPC UA Client Driver trusts the server’s transport certificate, via either of the above two methods, then the OPC UA Client Driver will allow a connection to the server to be established.

OPC UA Client Driver properties Diagnostics tab

On startup, the OPC UA Client Driver reads certain status and other information from the server. This tab displays the most recent information and provides a button to allow the data to be refreshed. The data is only available when there is a good connection to the server.

There is also a check box that allows an unsecured, unencrypted transport connection to be made to the server (if the server permits such a connection) for debugging purposes. The state of the check box always reverts to unchecked when the driver is reloaded (typically on restart of the application). After selecting or deselecting the check box, use the Restart Driver button to cause the OPC UA Client Driver to disconnect and reconnect to the server, thereby switching between secure and unsecured communication.