Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI OPC UA Server

TABLE OF CONTENTS

Communication

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedMar 30, 2026
  • 2 minute read
    • Developer

OPC UA Communication Overview

A mutual trust relationship must be configured to communicate between the PI OPC UA Server and the Client using certificates. Both trust procedures below (Trust a client certificate and Trust a server certificate) must be completed to enable successful communication.

When communicating with a client, the PI OPC UA Server supports the message security mode Sign & Encrypt available with security profile Basic256Sha256.

If Allow Anonymous Authentication and Allow Security Policy None are enabled (see Configure the AVEVA PI OPC UA Server), anonymous access without any security will be enabled (this is not recommended in a production environment).

Trust a client certificate by the PI OPC UA Server

To use TSL/SSL you must use a client certificate and it must be configured to be trusted by the PI OPC UA Server. See Trust a client certificate.

Trust a server certificate at the client

To communicate between the OPC UA client and the PI OPC UA Server, both the client and server-side certificates must be mutually trusted. Trust for the client certificate is accomplished at the client. Follow the client's documentation for instructions.

Using a custom server certificate

By default the PI OPC UA Server uses a generated, self-signed certificate to secure TLS/SSL socket communication. To use your own certificate instead, use the following procedure:

  • The certificate must be installed in the Local Machine \ Personal Windows certificate store

  • The certificate's Subject Alternative Name must contain a URL which is consistent with the application’s URI, that is, urn:<machine-name>

  • The certificate private key must be exportable and the server application must have read permission to the private key (configured in private key ACLs of the certificate)

  • Update the settings in the Advanced Settings window including the certificate's thumbprint must be copied to the Server Certificate Thumbprint setting in the Advanced table shown in AVEVA PI OPC UA Server configuration.

  • If the certificate is chained, the root of the issuer chain must be in Local Machine \ Trusted Root Certification Authorities store.

In This Topic
Related Links
TitleResults for “How to create a CRG?”Also Available in