# Client Certificates
Security certificates are used to verify the authenticity of an OPC UA client (on the server side), authenticity of an OPC UA client (on the client side) and to encrypt. In order to establish secure connection between the OPC UA client and the OPC UA server, they must add the security certificates given to them to the repository as "trusted". There is a special repository intended for working with client security certificates in Monokot Server. It allows you to import, reject or confirm client security certificates.
When an OPC UA client trying establish secure connection to the OPC UA server, a client security certificate will automatically be placed in the repository as “rejected” if it was not added before as “trusted”.
The default UA TCP endpoint security certificate is a self-signed certificate that was created when the server was first started. Click here to learn more about the default server security certificate.
### How to: Adding a security certificate to the security certificates repository as "trusted" using Monokot Server Administrator
To add an OPC UA security certificate to the repository as "trusted" in *Server Explorer* pane, double-click on *OPC UA* and go to the *Client Certificates* tab.
### If you have the client security certificate of OPC UA client on your computer:
Click on the *Import* button and select one or more certificates. The certificates will appear on the client as “trusted”. Click on the *Sync* button to transfer the added security certificates to the server. Now the OPC UA client can connect to the OPC UA server via a secure connection.
### If you do not have the OPC UA client security certificate on your computer:
Connect the OPC UA client to the OPC UA server via a secure connection. Connection is not established and the client will return the error **BadCertificateUntrusted** or **BadSecurityChecksFailed**. The OPC UA client security certificate will automatically be added to server repository as "rejected". Click on the *Sync* button, the “rejected” certificate will appear in the table of certificates.
Select the certificate and click on "Trust" button and then click on the *Sync* button to trust the security certificate on the server. Now the OPC UA client can connect to the OPC UA server via a secure connection.
The parameter **Client Certificate Validation Mode** specifies client security certificate validation mode and has the following values:
* Accept Any (no validation)
* Verify by Operating System (the most rigorous way of certificate validation; builds a trusted certificate chain using the operating system certificate store with validation of domain name, certificate expiration date, etc.)
* Trusted Certificates List (successfully validated if the certificate is in the certificate list and is trusted)
* Trusted CA’s List (successfully validated if it is possible to build a trust chain to any of the trusted certificates on the list).
Note that if you select the Accept Any or Verify by Operating System mode, the client security certificate will not be added to the certificate list when the client tries to establish a secure connection. If the Trusted Certificates List or Trusted CA's List mode is selected, automatic addition of a client certificate is regulated by the **Automatically add a client certificate as "untrusted"** parameter.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.monokot.io/basics/opc-ua/client-certificates.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.