An Application Instance Certificate is a ByteString containing the DER encoded form (see X690) of an X.509 v3 Certificate. This Certificate is issued by certifying authority and identifies an instance of an application running on a single host. The X.509 v3 fields contained in an Application Instance Certificate are described in Table 49. The fields are defined completely in RFC 5280.
Table 49 also provides a mapping from the RFC 5280 terms to the terms used in the abstract definition of an Application Instance Certificate defined in OPC 10000-4.
Table 49 – Application Instance Certificate
Name |
OPC 10000-4 Parameter Name |
Description |
Application Instance Certificate |
|
An X.509 v3 Certificate. |
version |
version |
shall be “V3” |
serialNumber |
serialNumber |
The serial number assigned by the issuer. |
signatureAlgorithm |
signatureAlgorithm |
The algorithm used to sign the Certificate. |
signature |
signature |
The signature created by the Issuer. |
issuer |
issuer |
The distinguished name of the Certificate used to create the signature. |
validity |
validTo, validFrom |
When the Certificate becomes valid and when it expires. |
subject |
subject |
The distinguished name of the application Instance. The Common Name attribute shall be specified and should be the productName or a suitable equivalent. The Organization Name attribute shall be the name of the Organization that executes the application instance. This organization is usually not the vendor of the application. Other attributes may be specified. |
subjectAltName |
applicationUri, hostnames |
The alternate names for the application Instance. Shall include a uniformResourceIdentifier which is equal to the applicationUri. The URI shall be a valid URL (see RFC 3986) or a valid URN (see RFC 8141). Servers shall specify a partial or a fully qualified dNSName or a static IPAddress which identifies the machine where the application Instance runs. Additional dNSNames may be specified if the machine has multiple names. The subjectAltName field is completely described in RFC 5280. |
publicKey |
publicKey |
The public key associated with the Certificate. |
keyUsage |
keyUsage |
Specifies how the Certificate key may be used. For RSA keys, the keyUsage shall include digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment.For ECC keys, the keyUsage shall include digitalSignature.Other keyUsage bits are allowed but not recommended. Self-signed Certificates shall also include keyCertSign. |
extendedKeyUsage |
keyUsage |
Specifies additional limits on how the Certificate key may be used. For RSA profiles, the extendedKeyUsage shall specify serverAuth for Servers and shall specify clientAuth for Clients. The extendedKeyUsage should also specify clientAuth for Servers. For ECC profiles, serverAuth and clientAuth are optional. Other extendedKeyUsage bits are allowed. |
authorityKeyIdentifier |
(No mapping) |
Provides more information about the key used to sign the Certificate. It shall be specified for Certificates signed by a CA. It should be specified for self-signed Certificates. |
basicConstraints |
(No mapping) |
The basicConstraints field is completely described in RFC 5280. The cA flag Identifies whether the subject of the Certificate is a CA The pathLength specifies the maximum number of intermediate CAs in valid chains that follow this Certificate.
The basicConstraints extension shall be present and shall not be ignored. The extension shall be validated and marking the extension as critical has no effect. For backward interoperability, any error related to the critical mark produced by software libraries shall be suppressed and logged as a warning.
The cA flag shall be FALSE for any ApplicationInstance Certificate, however, TRUE shall be accepted to ensure backward interoperability when validating ApplicationInstance Certificates, if revocation checks are enabled. If revocation checks are disabled then a Certificate with the cA flag set to TRUE should not be accepted. It should be possible to disable backward interoperability in configuration.
If the cA flag is TRUE for a self-signed ApplicationInstance Certificate, then the pathLength should be 0. If an application accepts an ApplicationInstance Certificate with cA flag set to TRUE, it shall write a warning to the log.
Note that RFC 6818 updates RFC 5280 and explicitly states that self-signed Certificates used as end-entity Certificates are outside the scope of RFC 5280. This means the requirement that the CA flag be FALSE for ApplicationInstance Certificates does not violate RFC 5280 requirements. |