This type is used for Objects which represent Certificate Groups in the AddressSpace. A Certificate Group is a context that contains a Trust List and one or more Certificates that can be assigned to an Application. This type exists to allow an Application which has multiple Trust Lists and/or Application Certificates to express them in its AddressSpace. This type is defined in Table 21.

Table 21 – CertificateGroupType Definition

Attribute

Value

BrowseName

CertificateGroupType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the BaseObjectType defined in OPC 10000-5.

HasComponent

Object

TrustList

-

TrustListType

Mandatory

HasProperty

Variable

CertificateTypes

NodeId[]

PropertyType

Mandatory

HasComponent

Object

CertificateExpired

CertificateExpirationAlarmType

Optional

HasComponent

Object

TrustListOutOfDate

TrustListOutOfDateAlarmType

Optional

HasComponent

Method

GetRejectedList

See 7.5.10.1.

Optional

The TrustList Object is the Trust List associated with the Certificate Group.

The CertificateTypes Property specifies the NodeIds of the CertificateTypes which may be assigned to Applications which belong to the Certificate Group. For example, a Certificate Group with the NodeId of RsaMinApplicationCertificateType (see 7.5.15) and the NodeId RsaSha256ApplicationCertificate (see 7.5.16) specified allows an Application to have one Application Instance Certificates for each type. Abstract base types may be used in this value and indicate that any subtype is allowed. If this list is empty then the Certificate Group does not allow Certificates to be assigned to Applications (i.e. the Certificate Group exists to allow the associated Trust List to be read or updated). All CertificateTypes for a given Certificate Group shall be subtypes of a single common type which shall be either ApplicationCertificateType or HttpsCertificateType.

The CertificateExpired Object is an Alarm which is raised when the Certificate associated with the CertificateGroup is about to expire. The CertificateExpirationAlarmType is defined in OPC 10000-9.

The TrustListOutOfDate Object is an Alarm which is raised when the Trust List has not been updated within the period specified by the UpdateFrequency (see 7.5.2). The TrustListOutOfDateAlarmType is defined in 7.5.9.

The GetRejectedList Method returns the list of Certificates that have been rejected by the Server when using the TrustList associated with the CertificateGroup. It can be used to track activity or allow administrators to move a rejected Certificate into the TrustList.

No rules are defined for how the Server updates this list or how long a Certificate is kept in the list. It is recommended that every valid but untrusted Certificate be added to the rejected list as long as storage is available. Servers should omit older entries from the list returned if the maximum message size is not large enough to allow the entire list to be returned.

This Method requires an encrypted channel and that the Client provides credentials with administrative rights on the Server.

Signature

GetRejectedList(

[out] ByteString[] certificates

);

Argument

Description

certificates

The DER encoded form of the Certificates rejected by the Server.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_SecurityModeInsufficient

The SecureChannel is not encrypted.

Table 21a specifies the AddressSpace representation for the GetRejectedList Method.

Table 21a – GetRejectedList Method AddressSpace Definition

Attribute

Value

BrowseName

GetRejectedList

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory