ApplicationInstanceCertificatesor UserIdentityTokensmay expire, get invalid or may be rejected on Clientor Serverside.

ApplicationInstanceCertificatesverification shall be executed every time the SecurityTokenis renewed for a SecureChannel. OPC UA Applicationsmay do additional verifications between SecurityTokenrenews e.g. if the trust list is updated from a GDS.

If the SecureChanneldoes not use ApplicationInstanceCertificates, the OPC UA Applicationshould execute ApplicationInstanceCertificatechecks for the Sessionat a rate used for SecureChannelrenewals.

The recovery mechanisms for ApplicationInstanceCertificatereplacement scenarios are described in 6.7.

OPC UA Application should have internal notification mechanisms to get informed about removal of user identities or should frequently check if the UserIdentityTokensis still valid or if the authorization for a UserIdentityTokenswas changed.