A recommended directory layout for Applicationsthat store their Certificateson a file system is shown in Table 118. The Local Discovery Server shall use this structure.

This structure is based on the rules defined in OPC 10000-6.

Table 118– Application Certificate Store Directory Layout

Path

Description

<root>

A descriptive name for the trust list.

<root>/own

The Certificatestore which contains private keys used by the application.

<root>/own/certs

Contains the X.509 v3 Certificatesassociated with the private keys in the ./private directory.

<root>/own/private

Contains the private keys used by the application.

<root>/trusted

The Certificatestore which contains trusted Certificates.

<root>/trusted/certs

Contains the X.509 v3 Certificateswhich are trusted.

<root>/trusted/crl

Contains the X.509 v3 CRLs for any Certificatesin the ./certs directory.

<root>/issuer

The Certificatestore which contains the CA Certificatesneeded for validation.

<root>/issuer/certs

Contains the X.509 v3 Certificateswhich are needed for validation.

<root>/issuer/crl

Contains the X.509 v3 CRLs for any Certificatesin the ./certs directory.

<root>/rejected

The Certificatestore which contains certificates which have been rejected.

<root>/rejected/certs

Contains the X.509 v3 Certificateswhich have been rejected.

All X.509 v3 certificates are stored in DER format and have a ‘.der’ extension on the file name.

All CRLs are stored in DER format and have a ‘.crl’ extension on the file name.

Private keys should be in PKCS #12format with a ‘.pfx’ extension or in the OpenSSL PEM format. The OpenSSL PEM format is not formally defined and should only be used by applications which use the OpenSSL libraries to implement security. Other private key formats may exist.

The base name of the Private Key file shall be the same as the base file name for the matching Certificate file stored in the ./certs directory.

A recommended naming convention is:

<CommonName>-[<Algorithm>-<Thumbprint>].(der | pem | pfx)

Where the CommonName is the CommonName of the Certificate, the Algorithm is the key-pair algorithm and the Thumbprint is the CertificateDigestof the certificate formatted as a hexadecimal string.

The currently supported key-pair algorithms are: RSA, nistP256, nistP384, brainpoolP256r1, brainpoolP384r1, curve25519 and curve448.