An Application Instance Certificate is a ByteString containing the DER encoded form (see X690) of an X.509 v3 Certificate. This Certificate is issued by certifying authority and identifies an instance of an application running on a single host. The X.509 v3 fields contained in an Application Instance Certificate are described in Table 46. The fields are defined completely in RFC 5280.

Table 46 also provides a mapping from the RFC 5280 terms to the terms used in the abstract definition of an Application Instance Certificate defined in OPC 10000-4.

Table 46 – Application Instance Certificate

Name

OPC 10000-4 Parameter Name

Description

Application Instance Certificate

An X.509 v3 Certificate.

version

version

shall be “V3”

serialNumber

serialNumber

The serial number assigned by the issuer.

signatureAlgorithm

signatureAlgorithm

The algorithm used to sign the Certificate.

signature

signature

The signature created by the Issuer.

issuer

issuer

The distinguished name of the Certificate used to create the signature.

The issuer field is completely described in RFC 5280.

validity

validTo, validFrom

When the Certificate becomes valid and when it expires.

subject

subject

The distinguished name of the application Instance.

The Common Name attribute shall be specified and should be the productName or a suitable equivalent. The Organization Name attribute shall be the name of the Organization that executes the application instance. This organization is usually not the vendor of the application.

Other attributes may be specified.

The subject field is completely described in RFC 5280.

subjectAltName

applicationUri,

hostnames

The alternate names for the application Instance.

Shall include a uniformResourceIdentifier which is equal to the applicationUri. The URI shall be a valid URL (see RFC 3986) or a valid URN (see RFC 8141).

Servers shall specify a partial or a fully qualified dNSName or a static IPAddress which identifies the machine where the application Instance runs. Additional dNSNames may be specified if the machine has multiple names.

The subjectAltName field is completely described in RFC 5280.

publicKey

publicKey

The public key associated with the Certificate.

keyUsage

keyUsage

Specifies how the Certificate key may be used.

For RSA keys, the keyUsage shall include digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment.For ECC keys, the keyUsage shall include digitalSignature.Other keyUsage bits are allowed but not recommended.

Self-signed Certificates shall also include keyCertSign.

extendedKeyUsage

keyUsage

Specifies additional limits on how the Certificate key may be used.

For RSA profiles, the extendedKeyUsage shall specify serverAuth for Servers and shall specify clientAuth for Clients. The extendedKeyUsage should also specify clientAuth for Servers.

For ECC profiles, serverAuth and clientAuth are optional.

Other extendedKeyUsage bits are allowed.

authorityKeyIdentifier

(No mapping)

Provides more information about the key used to sign the Certificate. It shall be specified for Certificates signed by a CA. It should be specified for self-signed Certificates.

basicConstraints

(No mapping)

The basicConstraints field is completely described in RFC 5280.

The cA flag Identifies whether the subject of the Certificate is a CA The pathLength specifies the maximum number of intermediate CAs in valid chains that follow this Certificate.

The basicConstraints extension shall be present and shall not be ignored. The extension shall be validated and marking the extension as critical has no effect. For backward interoperability, any error related to the critical mark produced by software libraries shall be suppressed and logged as a warning.

The cA flag shall be FALSE for any ApplicationInstance Certificate, however, TRUE shall be accepted to ensure backward interoperability when validating ApplicationInstance Certificates, if revocation checks are enabled. If revocation checks are disabled then a Certificate with the cA flag set to TRUE should not be accepted. It should be possible to disable backward interoperability in configuration.

If the cA flag is TRUE for a self-signed ApplicationInstance Certificate, then the pathLength should be 0.

If an application accepts an ApplicationInstance Certificate with cA flag set to TRUE, it shall write a warning to the log.