Managing Matrikon UA Explorer Certificates

Created by Luis R. Aldoma, Modified on Thu, 16 Mar, 2023 at 7:55 AM by Luis R. Aldoma

As in every OPC UA link, Matrikon  UA Explorer relies in a certificate exchange between server and client, this is because OPC UA goes thru a SSL socket, so this certificate exchange is what allows SSL protocol to stablish the socket for the data exchange.


the way this works is:




  • The client sends a request to the server for a secure session. The server responds by sending its X.509 digital certificate to the client.
  • The client receives the server's X.509 digital certificate.
  • The client authenticates the server, using a list of known certificate authorities.
  • The client generates a random symmetric key and encrypts it using server's public key.
  • The client and server now both know the symmetric key and can use the SSL encryption process to encrypt and decrypt the information contained in the client request and the server response.

In order to access the received certificate servers and clients need to knows where is this certificate stored, and sometimes having the certificate in the windows certificate store is not enough, because the software will look for the certificate in his own defined folder


There are two folders relevant in this case, the "Trusted" certificate folder ehere the software will save the certificates from the computers it trust and it knows. And the "Rejected" certificates folder, where ALL the received certificates will be stored at arrival until someone (the user) authorizes the use of that certificate (when the exchange is automated), in cases where the server admin gives us the certificate to manually install it in our computer we need to save it in the "trusted" folder.


In the specific case of MatrikonOPC Ua Explorer, there is an automated certificate exchange between server and client, so we need to move the arriving certificate from one folder to another manually.


The folders are located in:


C:\Users\Administrator\AppData\Local\Matrikon\OPCUAExplorer\pki\DefaultApplicationGroup\rejected\certs
C:\Users\Administrator\AppData\Local\Matrikon\OPCUAExplorer\pki\DefaultApplicationGroup\trusted\certs


Remember that in the server side you need to do the same because the OPC UA server will need to trust the client because sometimes during the data transfer, the communication will be started from the server side to the client side and the socket will need to be established. And every server has his own way to accept and store the certificate, in some cases importing manually the client certificate and registering it in the windows certificate store will do the trick for you.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article