UA Part 6: Mappings - 6.2.2 Application Instance Certificate

6.2.2 Application Instance Certificate

An Application Instance Certificateis a ByteStringcontaining the DER encoded form (see X690) of an X.509 v3 Certificate. This Certificateis issued by certifying authority and identifies an instance of an application running on a single host. The X.509 v3 fields contained in an Application Instance Certificateare described in Table 36. The fields are defined completely in RFC 3280.

Table 36also provides a mapping from the RFC 3280terms to the terms used in the abstract definition of an Application Instance Certificatedefined in OPC 10000-4.

Table 36– Application Instance Certificate

Name	OPC 10000-4Parameter Name	Description
Application Instance Certificate		An X.509 v3 Certificate.
version	version	shall be “V3”
serialNumber	serialNumber	The serial number assigned by the issuer.
signatureAlgorithm	signatureAlgorithm	The algorithm used to sign the Certificate.
signature	signature	The signature created by the Issuer.
issuer	issuer	The distinguished name of the Certificateused to create the signature. The issuer field is completely described in RFC 3280.
validity	validTo, validFrom	When the Certificatebecomes valid and when it expires.
subject	subject	The distinguished name of the applicationInstance. The Common Name attribute shall be specified and should be the productNameor a suitable equivalent. The Organization Name attribute shall be the name of the Organization that executes the application instance. This organization is usually not the vendor of the application. Other attributes may be specified. The subject field is completely described in RFC 3280.
subjectAltName	applicationUri, hostnames	The alternate names for the applicationInstance. Shall include a uniformResourceIdentifier which is equal to the applicationUri. The URI shall be a valid URL (see RFC 1738) or a valid URN (see RFC 2141). Serversshall specify a partial or a fully qualified dNSNameor a staticIPAddresswhich identifies the machine where the applicationInstanceruns. Additional dNSNames may be specified if the machine has multiple names. The subjectAltName fieldis completely described in RFC 3280.
publicKey	publicKey	The public key associated with the Certificate.
keyUsage	keyUsage	Specifies how the Certificatekey may be used. Shall include digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment. Other key uses are allowed.
extendedKeyUsage	keyUsage	Specifies additional key uses for the Certificate. Shall specify 'serverAuth and/or clientAuth. Other key uses are allowed.
authorityKeyIdentifier	(no mapping)	Provides more information about the key used to sign the Certificate. It shall be specified for Certificatessigned by a CA. It should be specified for self-signed Certificates.