## 7.6.3 StartSigningRequest

StartSigningRequest is used to initiate a request to create a Certificate which uses the private key which the caller currently has. The new Certificate is returned in the FinishRequest response.

Signature

StartSigningRequest(
[in]  NodeId applicationId
[in]  NodeId certificateGroupId
[in]  NodeId certificateTypeId
[in]  ByteString certificateRequest
[out] NodeId requestId
);

Argument Description
applicationId The identifier assigned to the Application record by the CertificateManager.
certificateGroupId The NodeId of the Certificate Group which provides the context for the new request.
If null the CertificateManager shall choose the DefaultApplicationGroup.
certificateTypeId The NodeId of the CertificateType for the new Certificate.
If null the CertificateManager shall generate a Certificate based on the value of the certificateGroupId argument.
certificateRequest A CertificateRequest used to prove possession of the Private Key.
It is a PKCS #10 encoded blob in DER format.
This blob shall include the subjectAltName extension that is in the Certificate.
requestId The NodeId that represents the request.
This value is passed to FinishRequest .

The call returns the NodeId that is passed to the FinishRequest Method.

The certificateGroupId parameter allows the caller to specify a Certificate Group that provides context for the request. If null the CertificateManager shall choose the DefaultApplicationGroup. The set of available Certificate Groups are found in the CertificateGroups folder described in 7.6.2. The Certificate Groups allowed for an Application are returned by the GetCertificateGroups Method (see 7.6.6).

The certificateTypeId parameter specifies the type of Certificate to return. The permitted values are specified by the CertificateTypes Property of the Object specified by the certificateGroupId parameter.

The certificateRequest parameter is a DER encoded Certificate Request. The subject name, subject alternative name and public key are copied into the new Certificate.

If the certificateTypeId is a subtype of ApplicationCertificateType the subject name shall have an organization (O=) or domain name (DC=) field. The public key length shall meet the length restrictions for the CertificateType. If the certificateType is a subtype of HttpsCertificateType the Certificate common name (CN=) shall be the same as a domain from a DiscoveryUrl which uses HTTPS and the subject name shall have an organization (O=) field. The public key length shall be greater than or equal to 1024 bits.

The ApplicationUri shall be specified in the CSR. The CertificateManager shall return Bad_CertificateUriInvalid if the stored ApplicationUri for the Application is different from what is in the CSR.

For Servers, the list of domain names shall be specified in the CSR. The domains shall include the domain(s) in the DiscoveryUrls known to the CertificateManager.

This Method can be invoked by a configuration tool which has provided user credentials with necessary access permissions. It can also be invoked by the Application that owns the private key used to sign the CertificateRequest (e.g. the private key shall be the private key used to create the SecureChannel).

If auditing is supported, the CertificateManager shall generate the CertificateRequestedAuditEventType (see 7.6.8.1) if this Method succeeds or fails.

Method Result Codes (defined in Call Service)

Result Code Description
Bad_NotFound The applicationId does not refer to a registered Application.
Bad_InvalidArgument The certificateGroupId, certificateTypeId or certificateRequest is not valid.
The text associated with the error shall indicate the exact problem.
Bad_UserAccessDenied The current user does not have the rights required.
Bad_RequestNotAllowed The current configuration of the CertificateManager does not allow the request.
The text associated with the error should indicate the exact reason.
Bad_CertificateUriInvalid The ApplicationUri was not specified in the CSR or does not match the Application record.
Bad_NotSupported The signing algorithm, public algorithm or public key size are not supported by the CertificateManager. The text associated with the error shall indicate the exact problem.

Table 31 specifies the AddressSpace representation for the StartSigningRequest Method.

Table 31 – StartSigningRequest Method AddressSpace Definition

Attribute Value
BrowseName StartSigningRequest
References NodeClass BrowseName DataType TypeDefinition ModellingRule
HasProperty Variable InputArguments Argument[] PropertyType Mandatory
HasProperty Variable OutputArguments Argument[] PropertyType Mandatory