All OPC UA Applicationsrequire an Application Instance Certificatewhich shall contain the following information:

  • The network name or address of the computer where the application runs;
  • The name of the organisation that administers or owns the application;
  • The name of the application;
  • The URI of the application instance;
  • The name of the Certificate Authoritythat issued the Certificate;
  • The issue and expiry date for the Certificate;
  • The public key issued to the application by the Certificate Authority(CA);
  • A digital signature created by the Certificate Authority(CA).

In addition, each Application Instance Certificatehas a private key which should be stored in a location that can only be accessed by the application. If this private key is compromised, the administrator shall assign a new Application Instance Certificateand private key to the application.

This Certificatemay be generated automatically when the application is installed. In this situation the private key assigned to the Certificateshall be used to create the Certificatesignature. Certificatescreated in this way are called self-signed Certificates.

If the administrator responsible for the application decides that a self-signed Certificatedoes not meet the security requirements of the organisation, then the administrator should install a Certificateissued by a Certification Authority. The steps involved in requesting an Application Instance Certificatefrom a Certificate Authorityare shown in Figure 19.

image022.png

Figure 19– Obtaining and Installing an Application Instance Certificate

The figure above illustrates the interactions between the application, the Administratorand the Certificate Authority. The Applicationis as OPC UA Applicationinstalled on a single machine. The Administratoris the person responsible for managing the machine and the OPC UA Application. The Certificate Authorityis an entity that can issue digital Certificatesthat meet the requirements of the organisation deploying the OPC UA Application.

If the Administratordecides that a self-signed Certificatemeets the security requirements for the organisation, then the Administratormay skip Steps 3 through 5. Application vendors shall ensure that a Certificateis available after the installation process. Every OPC UA Applicationshall allow the Administratorsto replace Application Instance Certificateswith Certificatesthat meet their requirements.

When the Administratorrequests a new Certificatefrom a Certificate Authority, the Certificate Authoritymay require that the Administrator provide proof of authorization to request Certificatesfor the organisation that will own the Certificate. The exact mechanism used to provide this proof depends on the Certificate Authority.

Vendors may choose to automate the process of acquiring Certificatesfrom an authority. If this is the case, the Administratorwould still go through the steps illustrated in Figure 19, however, the installation program for the application would do them automatically and only prompt the Administratorto provide information about the application instance being installed.