Back to Doc.qt.io
Contact Us Blog Download Qt
On this page

The Qt OPC UA data type generator

Creating OPC UA Clients with security support

One of the core features of OPC UA is the support for security, which means we get cryptographically encrypted and signed protocol, user authentication and authorization support.

To make this work, each application instances (installation of a program) needs to have its own Application Instance Certificate and the according private key.

The applications can either generate self-signed certificates on their own (see Qt OPC UA X509 Support), get some from a certificate authority using OPC UA GDS, or simply can be configured with certificates which haven been created manually by the user.

Configuring the UA Application

To enable the client to use secure connections, it is important to

  • Configure the correct Application Identity
    m_identity = m_pkiConfig.applicationIdentity();
  • Configure PKI locations so that the SDK can find the certificate, private key, trust list etc.

    See, for example, the code from the Qt OPC UA Viewer Example:

    void MainWindow::setupPkiConfiguration()
{
    const QDir pkidir =
            QDir(QStandardPaths::writableLocation(QStandardPaths::AppLocalDataLocation) + "/pki");

    if (!pkidir.exists() && !copyDirRecursively(":/pki", pkidir.path()))
        qFatal("Could not set up directory %s!", qUtf8Printable(pkidir.path()));

    m_pkiConfig.setClientCertificateFile(pkidir.absoluteFilePath("own/certs/opcuaviewer.der"));
    m_pkiConfig.setPrivateKeyFile(pkidir.absoluteFilePath("own/private/opcuaviewer.pem"));
    m_pkiConfig.setTrustListDirectory(pkidir.absoluteFilePath("trusted/certs"));
    m_pkiConfig.setRevocationListDirectory(pkidir.absoluteFilePath("trusted/crl"));
    m_pkiConfig.setIssuerListDirectory(pkidir.absoluteFilePath("issuers/certs"));
    m_pkiConfig.setIssuerRevocationListDirectory(pkidir.absoluteFilePath("issuers/crl"));

    const QStringList toCreate = { m_pkiConfig.issuerListDirectory(),
                                   m_pkiConfig.issuerRevocationListDirectory() };
    for (const QString &dir : toCreate) {
        if (!QDir().mkpath(dir))
            qFatal("Could not create directory %s!", qUtf8Printable(dir));
    }
}

    In the example, we extract pre-configured own and trusted certificates from the Qt resource system to a writable location in the file system. The remaining directories for issuer (revocation) lists are created manually.

First connection

When connecting for the first time, the client needs to trust the server certificate.

The client should display a certificate warning (with cert details) and offer the possibility to save the certificate in its trust list. For an example, see Qt OPC UA Viewer Example.

When the client has accepted the server certificate, you can try to connect again. Now the server may reject the client's certificate. This is indicated by the generic error code BadSecurityChecksFailed. Servers normally store rejected certificates in a special rejected folder. Administrator can move these into the trust list to trust clients. This avoids manually copying the client certificate to the server machine.

As soon as the server has trusted the client, you should be able to connect with security.

The Qt OPC UA data type generator

© 2026 The Qt Company Ltd. Documentation contributions included herein are the copyrights of their respective owners. The documentation provided herein is licensed under the terms of the GNU Free Documentation License version 1.3 as published by the Free Software Foundation. Qt and respective logos are trademarks of The Qt Company Ltd. in Finland and/or other countries worldwide. All other trademarks are property of their respective owners.