Applicationsshall never communicate with another application that they do not trust. An Applicationdecides if another application is trusted by checking whether the Application Instance Certificatefor the other application is trusted. A Certificateis only trusted if its chain can be validated.

Applications shall rely on lists of Certificatesprovided by the Administratorto determine trust. There are two separate lists: a list of trusted Certificatesand a list of issuer Certificates (i.e. CAs). The list of trusted Certificatesmay contain a Certificateissued to another Applicationor it may be a Certificatebelonging to a CA. The list of issuer Certificatescontains CA Certificatesneeded for chain validation that are not in the list of trusted Certificates.

When building a chain each Certificatein the chain shall be validated back to a CA with a self-signed Certificate(a.k.a. a root CA). If any validation error occurs then the trust check fails. Some validation errors are non-critical which means they can be suppressed by a user of an Applicationwith the appropriate privileges. Suppressed validation errors are always reported via auditing (i.e. an appropriate Audit event is raised).

Determining trust requires access to all Certificatesin the chain. These Certificatesmay be stored locally or they may be provided with the application Certificate. Processing fails with Bad_SecurityChecksFailed if an element in the chain cannot be found. A Certificateis trusted if the Certificateor at least one of the Certificatesin the chain are in the list of trusted Certificatesfor the Applicationand the chain is valid.

Table 106specifies the steps used to validate a Certificatein the order that they shall be followed. These steps are repeated for each Certificatein the chain. Each validation step has a unique error status and audit event type that shall be reported if the check fails. The audit event is in addition to any audit event that was generated for the particular Servicethat was invoked. The Serviceaudit event in its message text shall include the audit EventIdof the AuditCertificateEventType(for more details, see 6.5). Processing halts if an error occurs, unless it is non-critical and it has been suppressed.

ApplicationInstanceCertificatesshall not be used in a Clientor Serveruntil they have been evaluated and marked as trusted. This can happen automatically by a PKI trust chain or in an offline manner where the Certificateis marked as trusted by an administrator after evaluation.

Table 106– Certificate validation steps

Step

Error/AuditEvent

Description

Certificate Structure

Bad_CertificateInvalid Bad_SecurityChecksFailed

AuditCertificateInvalidEventType

The Certificatestructure is verified.

This error may not be suppressed.

If this check fails on the Serverside, the error Bad_SecurityChecksFailed shall be reported back to the Client.

Build Certificate Chain

Bad_CertificateChainIncomplete

Bad_SecurityChecksFailed

AuditCertificateInvalidEventType

The trust chain for the Certificateis created.

An error during the chain creation may not be suppressed.

If this check fails on the Serverside, the error Bad_SecurityChecksFailed shall be reported back to the Client.

Signature

Bad_CertificateInvalid

Bad_SecurityChecksFailed

AuditCertificateInvalidEventType

A Certificatewith an invalid signature shall always be rejected.

A Certificatesignature is invalid if the Issuer Certificateis unknown. A self-signed Certificateis its own issuer.

If this check fails on the Serverside, the error Bad_SecurityChecksFailed shall be reported back to the Client.

Security Policy Check

Bad_CertificatePolicyCheckFailed

Bad_SecurityChecksFailed

AuditCertificateInvalidEventType

A Certificatesignature shall comply with the CertificateSignatureAlgorithm, MinAsymmetricKeyLength and MaxAsymmetricKeyLength requirements for the used SecurityPolicydefined in OPC 10000-7.

If this check fails on the Serverside, the error Bad_SecurityChecksFailed shall be reported back to the Client.

This error may be suppressed.

Trust List Check

Bad_CertificateUntrusted

Bad_SecurityChecksFailed

AuditCertificateUntrustedEventType

If the Application Instance Certificate is not trusted and none of the CA Certificatesin the chain is trusted, the result of the Certificatevalidation shall be Bad_CertificateUntrusted.

If this check fails on the Serverside, the error Bad_SecurityChecksFailed shall be reported back to the Client.

Validity Period

Bad_CertificateTimeInvalid

Bad_CertificateIssuerTimeInvalid

AuditCertificateExpiredEventType

The current time shall be after the start of the validity period and before the end.

This error may be suppressed.

Host Name

Bad_CertificateHostNameInvalid

AuditCertificateDataMismatchEventType

The HostName in the URL used to connect to the Servershall be the same as one of the HostNames specified in the Certificate.

This check is skipped for CA Certificates.

This check is skipped for Serverside validation.

This error may be suppressed.

URI

Bad_CertificateUriInvalid

AuditCertificateDataMismatchEventType

Application and Software Certificatescontain an application or product URI that shall match the URI specified in the ApplicationDescriptionprovided with the Certificate.

This check is skipped for CA Certificates.

This error may not be suppressed.

The gatewayServerUriis used to validate an Application Certificatewhen connecting to a Gateway Server (see 7.2).

Certificate Usage

Bad_CertificateUseNotAllowed

Bad_CertificateIssuerUseNotAllowed

AuditCertificateMismatchEventType

Each Certificatehas a set of uses for the Certificate(see OPC 10000-6). These uses shall match use requested for the Certificate(i.e. Application, Software or CA).

This error may be suppressed unless the Certificateindicates that the usage is mandatory.

Find Revocation List

Bad_CertificateRevocationUnknown Bad_CertificateIssuerRevocationUnknown

AuditCertificateRevokedEventType

Each CA Certificatemay have a revocation list. This check fails if this list is not available (i.e. a network interruption prevents the application from accessing the list). No error is reported if the Administratordisables revocation checks for a CA Certificate.

This error may be suppressed.

Bad_SecurityChecksFailed should be reported back to the Client.

Revocation Check

Bad_CertificateRevoked

Bad_CertificateIssuerRevoked

AuditCertificateRevokedEventType

The Certificatehas been revoked and may not be used.

This error may not be suppressed.

If this check fails on the Serverside, the error Bad_SecurityChecksFailed shall be reported back to the Client.

Certificatesare usually placed in a central location called a CertificateStore. Figure 20illustrates the interactions between the Application, the Administratorand the CertificateStore. The CertificateStorecould be on the local machine or in some central server. The exact mechanisms used to access the CertificateStoredepend on the application and PKI environment set up by the Administrator.

image023.png

Figure 20– Determining if an Application Instance Certificate is trusted