Certificatesare digitally signed data structures that contain a Public Keyand the identity of a OPC UA Application. All SecurityProtocolsuse X.509 v3 Certificates(see X.509 v3) encoded using the DER format (see X690). Certificatesused by OPC UA applications shall also conform to RFC 5280which defines a profile for X.509 v3 Certificateswhen they are used as part of an Internet based application.

The ServerCertificateand ClientCertificateparameters used in the abstract OpenSecureChannelservice are instances of the ApplicationInstance Certificate DataType. Clause 6.2.2describes how to create an X.509 v3 Certificatethat can be used as an ApplicationInstance Certificate.

Certificatesare also used as form of UserIdentityTokenwhich identifies a user associated with a Session. Clause 6.2.3describes Certificatesused as UserIdentityTokens.

An Application Instance Certificateis a ByteStringcontaining the DER encoded form (see X690) of an X.509 v3 Certificate. This Certificateis issued by certifying authority and identifies an instance of an application running on a single host. The X.509 v3 fields contained in an Application Instance Certificateare described in Table 43. The fields are defined completely in RFC 5280.

Table 43also provides a mapping from the RFC 5280terms to the terms used in the abstract definition of an Application Instance Certificatedefined in OPC 10000-4.

Table 43– Application Instance Certificate

Name

OPC 10000-4Parameter Name

Description

Application Instance Certificate

An X.509 v3 Certificate.

version

version

shall be “V3”

serialNumber

serialNumber

The serial number assigned by the issuer.

signatureAlgorithm

signatureAlgorithm

The algorithm used to sign the Certificate.

signature

signature

The signature created by the Issuer.

issuer

issuer

The distinguished name of the Certificateused to create the signature.

The issuer field is completely described in RFC 5280.

validity

validTo, validFrom

When the Certificatebecomes valid and when it expires.

subject

subject

The distinguished name of the applicationInstance.

The Common Name attribute shall be specified and should be the productNameor a suitable equivalent. The Organization Name attribute shall be the name of the Organization that executes the application instance. This organization is usually not the vendor of the application.

Other attributes may be specified.

The subject field is completely described in RFC 5280.

subjectAltName

applicationUri,

hostnames

The alternate names for the applicationInstance.

Shall include a uniformResourceIdentifier which is equal to the applicationUri. The URI shall be a valid URL (see RFC 3986) or a valid URN (see RFC 8141).

Serversshall specify a partial or a fully qualified dNSNameor a staticIPAddresswhich identifies the machine where the applicationInstanceruns. Additional dNSNames may be specified if the machine has multiple names.

The subjectAltName fieldis completely described in RFC 5280.

publicKey

publicKey

The public key associated with the Certificate.

keyUsage

keyUsage

Specifies how the Certificatekey may be used.

For RSA keys, the keyUsage shall include digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment.For ECC keys, the keyUsage shall include digitalSignature.Other keyUsage bits are allowed but not recommended.

Self-signed Certificatesshall also include keyCertSign.

extendedKeyUsage

keyUsage

Specifies additional limits on how the Certificatekey may be used.

For RSA keys, the extendedKeyUsage shall specify serverAuth and/or clientAuth.For ECC keys, the extendedKeyUsage may specify serverAuth and/or clientAuth.

Other extendedKeyUsage bits are allowed.

authorityKeyIdentifier

(No mapping)

Provides more information about the key used to sign the Certificate. It shall be specified for Certificatessigned by a CA. It should be specified for self-signed Certificates.

basicConstraints

(No mapping)

The basicConstraintsfieldis completely described in RFC 5280.

The cAflag Identifies whether the subject of the Certificateis a CA The pathLengthspecifies the maximum depth of valid chains that include this Certificate.

The cAflag shall be FALSE for ApplicationInstance Certificatesissued by a CA.

The cAflag should be FALSE for self-signed Certificates, however, TRUE shall be accepted to ensure backward interoperability.

If the CA flag is TRUE for self-signed ApplicationInstance Certificates,then the pathLength shall be 0.

A User Certificateis a Certificateis issued by certifying authority and identifies a user.

The X.509 v3 fields in a User Certificateswith specific requirements are shown in Table 44.

Table 44– User Certificate

Field

Description

subject

The distinguished name of the User.

The Common Name attribute shall be specified and should be name of the user. The Organization should be provided.

Other attributes may be specified.

The subject field is completely described in RFC 5280.

authorityKeyIdentifier

Provides more information about the key used to sign the Certificate. It shall be specified.

basicConstraints

The basicConstraintsfieldis completely described in RFC 5280.

The cAflag Identifies whether the subject of the Certificateis a CA The pathLengthspecifies the maximum depth of valid chains that include this Certificate.

The cAflag shall be FALSE for User Certificates.

The pathLength shall not be present.

An Issueror CA Certificateis an X.509 v3 Certificatethat identifies an authority that issues Certificates. An Issuer Certificatemay identify a root CA or an intermediate CA. Certificatesthat identify root CAs are self-signed Certificates. Certificatesthat identify intermediate CAs are issued by authority identified by an intermediate CA or root CA.

The X.509 v3 fields in Issuer Certificateswith specific requirements are shown in Table 45.

Table 45– Issuer Certificate

Field

Description

subject

The distinguished name of for the authority.

The Common Name attribute shall be specified.

The Organization should be provided.

Other attributes may be specified.

The subject field is completely described in RFC 5280.

authorityKeyIdentifier

Provides more information about the key used to sign the Certificate. It shall be specified.

basicConstraints

The basicConstraintsfieldis completely described in RFC 5280.

The cAflag Identifies whether the subject of the Certificateis a CA The pathLengthspecifies the maximum depth of valid chains that include this Certificate.

The cAflag shall be TRUE for CA Certificates.

A Certificate Revocation List (CRL) is a ByteStringcontaining the DER encoded form (see X690) of an X.509 v3 CRL. The CRL is issued by certifying authority and contains the serial numbers of the Certificatesissued by that authority which are no longer valid. All CRLs shall have the extension defined in Table 43. The extension is defined completely in RFC 5280.

Table 46– Certificate Revocation List Extensions

Extension

Description

authorityKeyIdentifier

Provides more information about the key used to sign the CRL.

Any X.509 v3 Certificatemay be signed by CA which means that validating the signature requires access to the X.509 v3 Certificatebelonging to the signing CA. Whenever an application validates a Certificate(see OPC 10000-4) it shall recursively build a chain of Certificatesby finding the issuer Certificate, validating the Certificateand then repeat the process for the issuer Certificate. The chain ends with a self-signed Certificate.

The number of CAs used in a system should be small so it is common to install the necessary CAs on each machine with an OPC UA application. However, applications have the option of including a partial or complete chain whenever they pass a Certificate. This includes GetEndpoints, SecureChannelnegotiation and during the CreateSession/ActivateSessionhandshake.

All OPC UA applications shall accept partial or complete chains in any field that contains a DER encoded Certificate.

Chains are stored in a ByteStringby simply appending the DER encoded form of the Certificates. The first Certificateshall be the end Certificatefollowed by its issuer. If the root CA is sent as part of the chain, it is last Certificateappended to the ByteString.

Chains are parsed by extracting the length of each Certificate from the DER encoding. For Certificates with lengths less than 65 535 bytes it is an MSB encoded UInt16 starting at the 3rdbyte.