In systems with multiple Serversand Clientsthe installation of Public Keysin TrustListscan very quickly become cumbersome. In these instances, the use of a company specific CA can greatly simplify the installation/configuration issues. The CA can also provide additional benefits such as management of Certificateexpiration and Certificate Revocation Lists(CRL). Figure 10provides an illustration of this activity.

image013.png

Figure 10– CA Certificate handling

The administrator will need to generate a CA signed ApplicationInstanceCertificatefor all Clientsand Serversthat are installed in a system, but he will only need to install the CA Public Keyon all machines. When a Certificateexpires and is replaced, the administrator will only need to replace the expired Certificate (Public Keysand Private Keys),there will be no need to copy a Public Keyto any locations.

The company specific CA allows the company to control the issuing of Certificates. The use of a commercial CA (such as VeriSign) would not be recommended in most cases. An OPC UA Application typically is configured to trust only the other applications determined by the Company as trusted. If all Certificatesissued by a commercial CA were to be trusted then the commercial CA would be controlling which applications are to be trusted, not the company.

Certificatemanagement needs to be addressed by all application developers. Some applications may make use of Certificatemanagement that is provided as part of a system wide infrastructure, others will generate self-signed Certificatesas part of an installation. See OPC 10000-12for additional details on system wide infrastructures for Certificatemanagement.