Certificate management functions comprise the management and distribution of certificates and Trust Lists for OPC UA Applications. An application that provides the certificate management functions is called CertificateManager. GDS and CertificateManager will typically be combined in one application. The basic concepts regarding Certificate management are described in OPC 10000-2.

There are two primary models for Certificate management: pull and push management. In pull management, the application acts as a Client and uses the Methods on the CertificateManager to request and update Certificates and Trust Lists. The application is responsible for ensuring the Certificates and Trust Lists are kept up to date. In push management the application acts as a Server and exposes Methods which the CertificateManager can call to update the Certificates and Trust Lists as required.

The GDS is intended to work in conjunction with different Certificate Management services such as Active Directory. The GDS provides a standard OPC UA based information model that all OPC UA applications can support without needing to know the specifics of a particular Certificate Management system.

The CertificateManager shall support the following use cases:

  • Provisioning (First time setup for a device/application);
  • Renewal (Renewing expired or compromised certificates);
  • Trust List Update (Updating the Trust Lists including the Revocation Lists);
  • Revocation (Removing a device/application from the system).

Although it is generally assumed that Client applications will use the Pull model and Server applications will use the Push model, this is not required.

During provisioning, the CertificateManager shall be able to operate in a mode where any Client is allowed to connect securely with any valid Certificate and user credentials are used to determine the rights a Client has; this eliminates the need to configure Trust Lists before connecting to the CertificateManager for provisioning.

Application vendors may decide to build the interaction with the CertificateManager as a separate component, e.g. as part of an administration application with access to the OPC UA configuration of this Application. This is transparent for the CertificateManager and will not be considered further in the rest of this chapter.

This standard does not define how to administer a CertificateManager but a CertificateManager shall provide an integrated system that includes both push and pull management.

Pull Management is performed by using the CertificateManager information model – in particular the Methods - defined in 7.6. The interactions between Application and CertificateManager during Pull Management are illustrated in Figure 12.

image015.png

Figure 12 – The Pull Certificate Management Model

The Application Administration component may be part of the Application or a standalone utility that understands how the Application persists its configuration information in its Configuration Database.

A similar process is used to renew certificates or to periodically update Trust List.

Security in Pull management requires an encrypted channel and the use of Administrator credentials for the CertificateManager that ensure only authorized users can register new Applications and request an initial new Certificate. Once an Application has a Certificate it can use this Certificate to renew the Certificate or to update Trust Lists and Revocation lists. It is important that a CertificateManager does not provide certificate renewals except to the applications that already own the prior certificate.

Push management is targeted at Server applications and relies on Methods defined in 7.7 to get a Certificate Request which can be passed onto the CertificateManager. After the CertificateManager signs the Certificate the new Certificate is pushed to the Server with the UpdateCertificate Method.

The interactions between a Server Application and CertificateManager during Push Management are illustrated in Figure 13.

image016.png

Figure 13 – The Push Certificate Management Model

The Administration Component may be part of the CertificateManager or a standalone utility that uses OPC UA to communicate with the CertificateManager (see 7.2 for a more complete description of the interactions required for this use case). The Configuration Database is used by the Server to persist its configuration information. The RegisterApplication Method (or internal equivalent) is assumed to have been called before the sequence in the diagram starts.

A similar process is used to renew certificates or to periodically update Trust List.

Security when using the Push Management Model requires an encrypted channel and the use of Administrator credentials for the Server that ensure only authorized users can update Certificates or Trust Lists. In addition, separate Administrator credentials are required for the CertificateManager that ensure only authorized users can register new Servers and request new Certificates.

Provisioning is the initial installation of an OPC UA Server or Client into a system in which a GDS is available and managing all certificates. For applications using Client interface provisioning can be accomplished using a pull model. Applications using the Server interface can be provisioned using the push model.

OPC UA Servers will typically auto-generate a self-signed Certificate when they first start. They may also have a pre-configured Trust List with Applications that are allowed to provision the Server. For example, a device vendor may use a CA that is used to issue Certificates to Applications used by their field technicians.

For embedded devices, the Server should allow any Client that provides the proper Administrator credentials to create the secure connection needed for provisioning using push management. Once the device has been given its initial Trust List the Server should then restrict access to those Clients with Certificates in the Trust List. A vendor specific process for provisioning is required if a device does not allow any Client to connect securely for provisioning.

See G.1 for more specific examples of how to provision an application.

The common information model defines types that are used in both the Push and the Pull Model.

This type defines a FileType that can be used to access a Trust List.

The CertificateManager uses this type to implement the Pull Model.

Servers use this type when implementing the Push Model.

An instance of a TrustListType shall restrict access to appropriate users or applications. This may be a CertificateManager administrative user that can change the contents of a Trust List, it may be an Administrative user that is reading a Trust List to deploy to an Application host or it may be an Application that can only access the Trust List assigned to it.

The Trust List file is a UA Binary encoded stream containing an instance of TrustListDataType (see 7.5.7).

The Open Method shall not support modes other than Read (0x01) and the Write + EraseExisting (0x06).

When a Client opens the file for writing the Server will not actually update the Trust List until the CloseAndUpdate Method is called. Simply calling Close will discard the updates. The bit masks in TrustListDataType structure allow the Client to only update part of the Trust List.

When the CloseAndUpdate Method is called the Server will validate all new Certificates and CRLs. If this validation fails the Trust List is not updated and the Server returns the appropriate Certificate error code (see OPC 10000-4).

Table 13 – TrustListType Definition

Attribute

Value

BrowseName

TrustListType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the FileType defined in OPC 10000-5.

HasProperty

Variable

LastUpdateTime

UtcTime

PropertyType

Mandatory

HasProperty

Variable

UpdateFrequency

Duration

PropertyType

Optional

HasComponent

Method

OpenWithMasks

Defined in 7.5.3.

Mandatory

HasComponent

Method

CloseAndUpdate

Defined in 7.5.4.

Optional

HasComponent

Method

AddCertificate

Defined in 7.5.5.

Optional

HasComponent

Method

RemoveCertificate

Defined in 7.5.6.

Optional

The LastUpdateTime indicates when the Trust List was last updated via Trust List Object Methods. This can be used to determine if a device has an up to date Trust List or to detect unexpected modifications. Out of band changes are not necessarily reported by this value.

The UpdateFrequency Property specifies how often the Trust List needs to be checked for changes. When the CertificateManager specifies this value, all Clients that read a copy of the Trust List should connect to the CertificateManager and check for updates to the Trust List within 2 times the UpdateFrequency. If the Trust List Object is contained within a ServerConfiguration Object then this value specifies how frequently the Server expects the Trust List to be updated.

If auditing is supported, the CertificateManager shall generate the TrustListUpdatedAuditEventType (see 7.5.18) if the CloseAndUpdate, AddCertificate or RemoveCertificate Methods are called.

The OpenWithMasks Method allows a Client to read only the portion of the Trust List.

This Method can only be used to read the Trust List.

Signature

OpenWithMasks(

[in] UInt32 masks

[out] UInt32 fileHandle

);

Argument

Description

masks

The parts of the Trust List that are include in the file to read.

The masks are defined in 7.5.8.

fileHandle

The handle of the newly opened file.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Table 14 specifies the AddressSpace representation for the OpenWithMasks Method.

Table 14 – OpenWithMasks Method AddressSpace Definition

Attribute

Value

BrowseName

OpenWithMasks

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

The CloseAndUpdate Method closes the file and applies the changes to the Trust List. It can only be called if the file was opened for writing. If the Close Method is called any cached data is discarded and the Trust List is not changed.

The Server shall verify that every Certificate in the new Trust List is valid according to the mandatory rules defined in OPC 10000-4. If an invalid Certificate is found the Server shall return an error and shall not update the Trust List. If only part of the Trust List is being updated the Server creates a temporary Trust List that includes the existing Trust List plus any updates and validates the temporary Trust List.

If the file cannot be processed this Method still closes the file and discards the data before returning an error. This Method is required if the Server supports updates to the Trust List.

The structure uploaded includes a mask (see 7.5.8) which specifies which fields are updated. If a bit is not set then the associated field is not changed.

Signature

CloseAndUpdate(

[in] UInt32 fileHandle

[out] Boolean applyChangesRequired

);

Argument

Description

fileHandle

The handle of the previously opened file.

applyChangesRequired

A flag indicating whether the ApplyChanges Method (see 7.7.5) shall be called before the new Trust List will be used by the Server.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_CertificateInvalid

The Server could not validate all Certificates in the Trust List.

The DiagnosticInfo shall specify which Certificate(s) are invalid and the specific error.

Table 15 specifies the AddressSpace representation for the CloseAndUpdate Method.

Table 15 – CloseAndUpdate Method AddressSpace Definition

Attribute

Value

BrowseName

CloseAndUpdate

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

The AddCertificate Method allows a Client to add a single Certificate to the Trust List. The Server shall verify that the Certificate is valid according to the rules defined in OPC 10000-4. If an invalid Certificate is found the Server shall return an error and shall not update the Trust List.

If the Certificate is issued by a CA then the Client shall provide the entire chain in the certificate argument (see OPC 10000-6). After validating the Certificate, the Server shall add the CA Certificates to the Issuers list in the Trust List. The leaf Certificate is added to the list specified by the isTrustedCertificate argument.

This method cannot be called if the file object is open.

AddCertificate(

[in] ByteString certificate

[in] Boolean isTrustedCertificate

);

Argument

Description

Certificate

The DER encoded Certificate to add.

isTrustedCertificate

If TRUE the Certificate is added to the Trusted Certificates List.

If FALSE the Certificate is added to the Issuer Certificates List.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_CertificateInvalid

The certificate to add is invalid.

Bad_InvalidState

The object is opened.

Table 16 specifies the AddressSpace representation for the AddCertificate Method.

Table 16 – AddCertificate Method AddressSpace Definition

Attribute

Value

BrowseName

AddCertificate

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

The RemoveCertificate Method allows a Client to remove a single Certificate from the Trust List. It returns Bad_InvalidArgument if the thumbprint does not match a Certificate in the Trust List.

If the Certificate is a CA Certificate with associated CRLs then all CRLs are removed as well.

This method cannot be called if the file object is open.

RemoveCertificate(

[in] String thumbprint

[in] Boolean isTrustedCertificate

);

Argument

Description

Thumbprint

The SHA1 hash of the Certificate to remove.

isTrustedCertificate

If TRUE the Certificate is removed from the Trusted Certificates List.

If FALSE the Certificate is removed from the Issuer Certificates List.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_InvalidArgument

The certificate to remove was not found.

Bad_InvalidState

The object is opened.

Table 17 specifies the AddressSpace representation for the RemoveCertificate Method.

Table 17 – RemoveCertificate Method AddressSpace Definition

Attribute

Value

BrowseName

RemoveCertificate

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

This type defines a DataType which stores the Trust List of a Server. Its values are defined in Table 18.

Table 18 – TrustListDataType Structure

Name

Type

Description

TrustListDataType

structure

specifiedLists

UInt32

A bit mask which indicates which lists contain information.

The TrustListMasks enumeration in 7.5.8 defines the allowed values.

trustedCertificates

ByteString[]

The list of Application and CA Certificates which are trusted.

trustedCrls

ByteString[]

The CRLs for the Certificates in the trustedCertificates list.

issuerCertificates

ByteString[]

The list of CA Certificates which are necessary to validate Certificates.

issuerCrls

ByteString[]

The CRLs for the CA Certificates in the issuerCertificates list.

Its representation in the AddressSpace is defined in Table 18a.

Table 18a – TrustListDataType Definition

Attribute

Value

BrowseName

TrustListDataType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the Structure DataType defined in OPC 10000-5.

This is a DataType that defines the values used for the SpecifiedLists field in the TrustListDataType. Its values are defined in Table 19.

Table 19 – TrustListMasks Enumeration

Name

Description

None_0

No fields are provided.

TrustedCertificates_1

The TrustedCertificates are provided.

TrustedCrls_2

The TrustedCrls are provided.

IssuerCertificates_4

The IssuerCertificates are provided.

IssuerCrls_8

The IssuerCrls are provided.

All_15

All fields are provided.

Its representation in the AddressSpace is defined in Table 19a.

Table 19a – TrustListMasks Definition

Attribute

Value

BrowseName

TrustListMasks

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Other

Subtype of the Enumeration DataType defined in OPC 10000-5.

HasProperty

Variable

EnumValues

EnumValueType []

PropertyType

This SystemOffNormalAlarmType is raised by the Server when the UpdateFrequency elapses and the Trust List has not been updated. This alarm automatically returns to normal when the Trust List is updated.

Table 20 – TrustListOutOfDateAlarmType definition

Attribute

Value

BrowseName

TrustListOutOfDateAlarmType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

Subtype of the SystemOffNormalAlarmType defined in OPC 10000-9.

HasProperty

Variable

TrustListId

NodeId

PropertyType

Mandatory

HasProperty

Variable

LastUpdateTime

UtcTime

PropertyType

Mandatory

HasProperty

Variable

UpdateFrequency

Duration

PropertyType

Mandatory

TrustListId Property specifies the NodeId of the out of date Trust List Object.

LastUpdateTime Property specifies when the Trust List was last updated.

UpdateFrequency Property specifies how frequently the Trust List needs to be updated.

This type is used for Objects which represent Certificate Groups in the AddressSpace. A Certificate Group is a context that contains a Trust List and one or more Certificates that can be assigned to an Application. This type exists to allow an Application which has multiple Trust Lists and/or Application Certificates to express them in its AddressSpace. This type is defined in Table 21.

Table 21 – CertificateGroupType Definition

Attribute

Value

BrowseName

CertificateGroupType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the BaseObjectType defined in OPC 10000-5.

HasComponent

Object

TrustList

-

TrustListType

Mandatory

HasProperty

Variable

CertificateTypes

NodeId[]

PropertyType

Mandatory

HasComponent

Object

CertificateExpired

CertificateExpirationAlarmType

Optional

HasComponent

Object

TrustListOutOfDate

TrustListOutOfDateAlarmType

Optional

HasComponent

Method

GetRejectedList

See 7.5.10.1.

Optional

The TrustList Object is the Trust List associated with the Certificate Group.

The CertificateTypes Property specifies the NodeIds of the CertificateTypes which may be assigned to Applications which belong to the Certificate Group. For example, a Certificate Group with the NodeId of RsaMinApplicationCertificateType (see 7.5.15) and the NodeId RsaSha256ApplicationCertificate (see 7.5.16) specified allows an Application to have one Application Instance Certificates for each type. Abstract base types may be used in this value and indicate that any subtype is allowed. If this list is empty then the Certificate Group does not allow Certificates to be assigned to Applications (i.e. the Certificate Group exists to allow the associated Trust List to be read or updated). All CertificateTypes for a given Certificate Group shall be subtypes of a single common type which shall be either ApplicationCertificateType or HttpsCertificateType.

The CertificateExpired Object is an Alarm which is raised when the Certificate associated with the CertificateGroup is about to expire. The CertificateExpirationAlarmType is defined in OPC 10000-9.

The TrustListOutOfDate Object is an Alarm which is raised when the Trust List has not been updated within the period specified by the UpdateFrequency (see 7.5.2). The TrustListOutOfDateAlarmType is defined in 7.5.9.

The GetRejectedList Method returns the list of Certificates that have been rejected by the Server when using the TrustList associated with the CertificateGroup. It can be used to track activity or allow administrators to move a rejected Certificate into the TrustList.

No rules are defined for how the Server updates this list or how long a Certificate is kept in the list. It is recommended that every valid but untrusted Certificate be added to the rejected list as long as storage is available. Servers should omit older entries from the list returned if the maximum message size is not large enough to allow the entire list to be returned.

This Method requires an encrypted channel and that the Client provides credentials with administrative rights on the Server.

Signature

GetRejectedList(

[out] ByteString[] certificates

);

Argument

Description

certificates

The DER encoded form of the Certificates rejected by the Server.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_SecurityModeInsufficient

The SecureChannel is not encrypted.

Table 21a specifies the AddressSpace representation for the GetRejectedList Method.

Table 21a – GetRejectedList Method AddressSpace Definition

Attribute

Value

BrowseName

GetRejectedList

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

This type is an abstract base type for types that describe the purpose of a Certificate. This type is defined in Table 22.

Table 22 – CertificateType Definition

Attribute

Value

BrowseName

CertificateType

Namespace

CORE (see 3.3)

IsAbstract

True

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the BaseObjectType defined in OPC 10000-5.

HasSubtype

ObjectType

ApplicationCertificateType

Defined in 7.5.12.

HasSubtype

ObjectType

HttpsCertificateType

Defined in 7.5.13.

HasSubtype

ObjectType

UserCredentialCertificateType

Defined in 7.5.14.

This type is an abstract base type for types that describe the purpose of an ApplicationInstanceCertificate. This type is defined in Table 23.

Table 23 – ApplicationCertificateType Definition

Attribute

Value

BrowseName

ApplicationCertificateType

Namespace

CORE (see 3.3)

IsAbstract

True

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the CertificateType defined in 7.5.11.

HasSubtype

ObjectType

RsaMinApplicationCertificateType

Defined in 7.5.15.

HasSubtype

ObjectType

RsaSha256ApplicationCertificateType

Defined in 7.5.16.

This type is used to describe Certificates that are intended for use as HTTPS Certificates. This type is defined in Table 24.

Table 24 – HttpsCertificateType Definition

Attribute

Value

BrowseName

HttpsCertificateType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the CertificateType defined in 7.5.11.

This type is used to describe Certificates that are intended for use as user credentials. This type is defined in Table 25.

Table 25 – UserCredentialCertificateType Definition

Attribute

Value

BrowseName

UserCredentialCertificateType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the CertificateType defined in 7.5.11.

This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate. They shall have an RSA key size of 1024 or 2048 bits. All Applications which support the Basic128Rsa15 and Basic256 profiles (see OPC 10000-7) shall have a Certificate of this type. This type is defined in Table 26.

Table 26 – RsaMinApplicationCertificateType Definition

Attribute

Value

BrowseName

RsaMinApplicationCertificateType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the ApplicationCertificateType defined in 7.5.12

This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate. They shall have an RSA key size of 2048, 3072 or 4096 bits. All Applications which support the Basic256Sha256 profile (see OPC 10000-7) shall have a Certificate of this type. This type is defined in Table 27.

Table 27 – RsaSha256ApplicationCertificateType Definition

Attribute

Value

BrowseName

RsaSha256ApplicationCertificateType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the ApplicationCertificateType defined in 7.5.12

This type is used for Folders which organize Certificate Groups in the AddressSpace. This type is defined in Table 21.

Table 28 – CertificateGroupFolderType Definition

Attribute

Value

BrowseName

CertificateGroupFolderType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the FolderType defined in OPC 10000-5.

HasComponent

Object

DefaultApplicationGroup

CertificateGroupType

Mandatory

HasComponent

Object

DefaultHttpsGroup

CertificateGroupType

Optional

HasComponent

Object

DefaultUserTokenGroup

CertificateGroupType

Optional

Organizes

Object

<AdditionalGroup>

CertificateGroupType

OptionalPlaceholder

The DefaultApplicationGroup Object represents the default Certificate Group for Applications. It is used to access the default Application Trust List and to define the CertificateTypes allowed for the ApplicationInstanceCertificate. This Object shall specify the ApplicationCertificateType NodeId (see 7.5.12) as a single entry in the CertificateTypes list or it shall specify one or more subtypes of ApplicationCertificateType.

The DefaultHttpsGroup Object represents the default Certificate Group for HTTPS communication. It is used to access the default HTTPS Trust List and to define the CertificateTypes allowed for the HTTPS Certificate. This Object shall specify the HttpsCertificateType NodeId (see 7.5.13) as a single entry in the CertificateTypes list or it shall specify one or more subtypes of HttpsCertificateType.

This DefaultUserTokenGroup Object represents the default Certificate Group for validating user credentials. It is used to access the default user credential Trust List and to define the CertificateTypes allowed for user credentials Certificate. This Object shall leave CertificateTypes list empty.

This event is raised when a Trust List is changed.

This is the result of a CloseAndUpdate Method on a TrustListType Object being called.

It shall also be raised when the AddCertificate or RemoveCertificate Method causes an update to the Trust List.

Its representation in the AddressSpace is formally defined in Table 29.

Table 29 – TrustListUpdatedAuditEventType Definition

Attribute

Value

BrowseName

TrustListUpdatedAuditEventType

Namespace

CORE (see 3.3)

IsAbstract

True

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

Subtype of the AuditUpdateMethodEventType defined in OPC 10000-5.

This EventType inherits all Properties of the AuditUpdateMethodEventType. Their semantic is defined in OPC 10000-5.

The GlobalDiscoveryServer AddressSpace used for Certificate management is shown in Figure 14. Most of the interactions between the GlobalDiscoveryServer and Application administrator or the Client will be via Methods defined on the Directory folder.

image017.png

Figure 14 – The Certificate Management AddressSpace for the GlobalDiscoveryServer

This ObjectType is the TypeDefinition for the root of the CertificateManager AddressSpace. It provides additional Methods for Certificate management which are shown in Table 30.

Table 30 – CertificateDirectoryType ObjectType Definition

Attribute

Value

BrowseName

CertificateDirectoryType

Namespace

GDS (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the DirectoryType defined in 6.3.3.

Organizes

Object

CertificateGroups

CertificateGroup

FolderType

Mandatory

HasComponent

Method

StartSigningRequest

Defined in 7.6.3.

Mandatory

HasComponent

Method

StartNewKeyPairRequest

Defined in 7.6.4.

Mandatory

HasComponent

Method

FinishRequest

Defined in 7.6.5.

Mandatory

HasComponent

Method

GetCertificateGroups

Defined in 7.6.6.

Mandatory

HasComponent

Method

GetTrustList

Defined in 7.6.6.

Mandatory

HasComponent

Method

GetCertificateStatus

Defined in 7.6.8.

Mandatory

HasComponent

Method

RevokeCertificate

Defined in 7.6.8.1

Optional

The CertificateGroups Object organizes the Certificate Groups supported by the CertificateManager. It is described in 7.5.17. CertificateManagers shall support the DefaultApplicationGroup and may support the DefaultHttpsGroup or the DefaultUserTokenGroup. CertificateManagers may support additional Certificate Groups depending on their requirements. For example, a CertificateManager with multiple Certificate Authorities would represent each as a CertificateGroupType Object organized by CertificateGroups Folder. Clients could then request Certificates issued by a specific CA by passing the appropriate NodeId to the StartSigningRequest or StartNewKeyPairRequest Methods.

The StartSigningRequest Method is used to request a new a Certificate that is signed by a CA managed by the CertificateManager. This Method is recommended when the caller already has a private key.

The StartNewKeyPairRequest Method is used to request a new Certificate that is signed by a CA managed by the CertificateManager along with a new private key. This Method is used only when the caller does not have a private key and cannot generate one.

The FinishRequest Method is used to check that a Certificate request has been approved by the CertificateManager Administrator. If successful the Certificate and Private Key (if requested) are returned.

The GetCertificateGroups Method returns a list of NodeIds for CertificateGroupType Objects that can be used to request Certificates or Trust Lists for an Application.

The GetTrustList Method returns a NodeId of a TrustListType Object that can be used to read a Trust List for an Application.

The GetCertificateStatus Method checks whether the Application needs to update its Certificate.

StartSigningRequest is used to initiate a request to create a Certificate which uses the private key which the caller currently has. The new Certificate is returned in the FinishRequest response.

Signature

StartSigningRequest(

[in] NodeId applicationId

[in] NodeId certificateGroupId

[in] NodeId certificateTypeId

[in] ByteString certificateRequest

[out] NodeId requestId

);

Argument

Description

applicationId

The identifier assigned to the Application record by the CertificateManager.

certificateGroupId

The NodeId of the Certificate Group which provides the context for the new request.

If null the CertificateManager shall choose the DefaultApplicationGroup.

certificateTypeId

The NodeId of the CertificateType for the new Certificate.

If null the CertificateManager shall generate a Certificate based on the value of the certificateGroupId argument.

certificateRequest

A CertificateRequest used to prove possession of the Private Key.

It is a PKCS #10 encoded blob in DER format.

This blob shall include the subjectAltName extension that is in the Certificate.

requestId

The NodeId that represents the request.

This value is passed to FinishRequest .

The call returns the NodeId that is passed to the FinishRequest Method.

The certificateGroupId parameter allows the caller to specify a Certificate Group that provides context for the request. If null the CertificateManager shall choose the DefaultApplicationGroup. The set of available Certificate Groups are found in the CertificateGroups folder described in 7.6.2. The Certificate Groups allowed for an Application are returned by the GetCertificateGroups Method (see 7.6.6).

The certificateTypeId parameter specifies the type of Certificate to return. The permitted values are specified by the CertificateTypes Property of the Object specified by the certificateGroupId parameter.

The certificateRequest parameter is a DER encoded Certificate Request. The subject name, subject alternative name and public key are copied into the new Certificate.

If the certificateTypeId is a subtype of ApplicationCertificateType the subject name shall have an organization (O=) or domain name (DC=) field. The public key length shall meet the length restrictions for the CertificateType. If the certificateType is a subtype of HttpsCertificateType the Certificate common name (CN=) shall be the same as a domain from a DiscoveryUrl which uses HTTPS and the subject name shall have an organization (O=) field. The public key length shall be greater than or equal to 1024 bits.

The ApplicationUri shall be specified in the CSR. The CertificateManager shall return Bad_CertificateUriInvalid if the stored ApplicationUri for the Application is different from what is in the CSR.

For Servers, the list of domain names shall be specified in the CSR. The domains shall include the domain(s) in the DiscoveryUrls known to the CertificateManager.

This Method can be invoked by a configuration tool which has provided user credentials with necessary access permissions. It can also be invoked by the Application that owns the private key used to sign the CertificateRequest (e.g. the private key shall be the private key used to create the SecureChannel).

If auditing is supported, the CertificateManager shall generate the CertificateRequestedAuditEventType (see 7.6.8.1) if this Method succeeds or fails.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_NotFound

The applicationId does not refer to a registered Application.

Bad_InvalidArgument

The certificateGroupId, certificateTypeId or certificateRequest is not valid.

The text associated with the error shall indicate the exact problem.

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_RequestNotAllowed

The current configuration of the CertificateManager does not allow the request.

The text associated with the error should indicate the exact reason.

Bad_CertificateUriInvalid

The ApplicationUri was not specified in the CSR or does not match the Application record.

Bad_NotSupported

The signing algorithm, public algorithm or public key size are not supported by the CertificateManager. The text associated with the error shall indicate the exact problem.

Table 31 specifies the AddressSpace representation for the StartSigningRequest Method.

Table 31 – StartSigningRequest Method AddressSpace Definition

Attribute

Value

BrowseName

StartSigningRequest

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

This Method is used to start a request for a new Certificate and Private Key. The Certificate and private key are returned in the FinishRequest response.

Signature

StartNewKeyPairRequest(

[in] NodeId applicationId

[in] NodeId certificateGroupId

[in] NodeId certificateTypeId

[in] String subjectName

[in] String[] domainNames

[in] String privateKeyFormat

[in] String privateKeyPassword

[out] NodeId requestId

);

Argument

Description

applicationId

The identifier assigned to the Application Instance by the CertificateManager.

certificateGroupId

The NodeId of the Certificate Group which provides the context for the new request.

If null the CertificateManager shall choose the DefaultApplicationGroup.

certificateTypeId

The NodeId of the CertificateType for the new Certificate.

If null the CertificateManager shall generate a Certificate based on the value of the certificateGroupId argument.

subjectName

The subject name to use for the Certificate.

If not specified the ApplicationName and/or domainNames are used to create a suitable default value.

The format of the subject name is a sequence of name value pairs separated by a ‘/’. The name shall be one of ‘CN’, ‘O’, ‘OU’, ‘DC’, ‘L’, ‘S’ or ‘C’ and shall be followed by a ‘=’ and then followed by the value. The value may be any printable character except for ‘”’. If the value contains a ‘/’ or a ‘=’ then it shall be enclosed in double quotes (‘”’).

domainNames

The domain names to include in the Certificate.

If not specified the DiscoveryUrls are used to create suitable defaults.

privateKeyFormat

The format of the private key.

The following values are always supported:

PFX- PKCS #12 encoded

PEM- Base64 encoded DER (see RFC 5958).

privateKeyPassword

The password to use for the private key.

requestId

The NodeId that represents the request.

This value is passed to FinishRequest.

The call returns the NodeId that is passed to the FinishRequest Method.

The certificateGroupId parameter allows the caller to specify a Certificate Group that provides context for the request. If null the CertificateManager shall choose the DefaultApplicationGroup. The set of available Certificate Groups are found in the CertificateGroups folder described in 7.6.2. The Certificate Groups allowed for an Application are returned by the GetCertificateGroups Method (see 7.6.6).

The certificateTypeId parameter specifies the type of Certificate to return. The permitted values are specified by the CertificateTypes Property of the Object specified by the certificateGroupId parameter.

The subjectName parameter is a sequence of X.500 name value pairs separated by a ‘/’. For example: CN=ApplicationName/OU=Group/O=Company.

If the certificateType is a subtype of ApplicationCertificateType the Certificate subject name shall have an organization (O=) or domain name (DC=) field. The public key length shall meet the length restrictions for the CertificateType. The domain name field specified in the subject name is a logical domain used to qualify the subject name that may or may not be the same as a domain or IP address in the subjectAltName field of the Certificate.

If the certificateType is a subtype of HttpsCertificateType the Certificate common name (CN=) shall be the same as a domain from a DiscoveryUrl which uses HTTPS and the subject name shall have an organization (O=) field.

If the subjectName is blank or null the CertificateManager generates a suitable default.

The domainNames parameter is list of domains to be includes in the Certificate. If it is null or empty the GDS uses the DiscoveryUrls of the Server to create a list. For Clients the domainNames are omitted from the Certificate if they are not explicitly provided.

The privateKeyFormat specifies the format of the private key returned. All CertificateManager implementations shall support “PEM” and “PFX”.

The privateKeyPassword specifies the password on the private key. The CertificateManager shall not persist this information and shall discard it once the new private key is generated.

This Method can be invoked by a configuration tool which has provided user credentials with necessary access permissions.

If auditing is supported, the CertificateManager shall generate the CertificateRequested AuditEventType (see 7.6.8.1) if this Method succeeds or fails.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_NodeIdUnknown

The applicationId does not refer to a registered Application.

Bad_InvalidArgument

The certificateGroupId, certificateTypeId, subjectName, domainNames or privateKeyFormat parameter is not valid.

The text associated with the error shall indicate the exact problem.

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_RequestNotAllowed

The current configuration of the CertificateManager does not allow the request.

The text associated with the error should indicate the exact reason.

Table 32 specifies the AddressSpace representation for the StartNewKeyPairRequest Method.

Table 32 – StartNewKeyPairRequest Method AddressSpace Definition

Attribute

Value

BrowseName

StartNewKeyPairRequest

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

FinishRequest is used to finish a certificate request started with a call to StartNewKeyPairRequest or StartSigningRequest.

Signature

FinishRequest (

[in] NodeId applicationId

[in] NodeId requestId

[out] ByteString certificate

[out] ByteString privateKey

[out] ByteString[] issuerCertificates

);

Argument

Description

applicationId

The identifier assigned to the Application Instance by the GDS.

requestId

The NodeId returned by StartNewKeyPairRequest or StartSigningRequest.

certificate

The DER encoded Certificate.

privateKey

The private key encoded in the format requested.

If a password was supplied the blob is protected with it.

This field is null if no private key was requested.

issuerCertificates

The Certificates required to validate the new Certificate.

This call is passes the NodeId returned by a previous call to StartNewKeyPairRequest or StartSigningRequest.

It is expected that a Client will periodically call this Method until the GDS has approved the request.

This Method can be invoked by a configuration tool which has provided user credentials with necessary access permissions. It can also be invoked by the Application that owns the Certificate (e.g. the private key used to create the channel shall be the same as the private key used to sign the request passed to StartSigningRequest).

The Method shall only be called via a SecureChannel with encryption enabled.

If auditing is supported, the GDS shall generate the CertificateDeliveredAuditEventType (see 7.6.10) if this Method succeeds or if it fails with anything but Bad_NothingToDo.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_NotFound

The applicationId does not refer to a registered Application.

Bad_InvalidArgument

The requestId is does not reference to a valid request for the Application.

Bad_NothingToDo

There is nothing to do because request has not yet completed.

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_RequestNotAllowed

The CertificateManager rejected the request.

The text associated with the error should indicate the exact reason.

Table 33 specifies the AddressSpace representation for the FinishRequest Method.

Table 33 – FinishRequest Method AddressSpace Definition

Attribute

Value

BrowseName

FinishRequest

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

GetCertificateGroups returns the Certificate Groups assigned to Application.

Signature

GetCertificateGroups(

[in] NodeId applicationId

[out] NodeId[] certificateGroupIds

);

Argument

Description

applicationId

The identifier assigned to the Application by the GDS.

certificateGroupIds

An identifier for the Certificate Groups assigned to the Application.

A Certificate Group provides a Trust List and one or more CertificateTypes which may be assigned to an Application. The values returned by this Method are passed to the GetTrustList (see 7.6.7), StartSigningRequest (see 7.6.3) or StartNewKeyPairRequest (see 7.6.4) Methods.

This Method can be invoked by a configuration tool which has provided user credentials with necessary access permissions. It can also be invoked by the Application identified by the applicationId (e.g. the private key used to create the channel shall be private key associated with the Certificate assigned to the Application).

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_NotFound

The applicationId does not refer to a registered Application.

Bad_UserAccessDenied

The current user does not have the rights required.

Table 35 specifies the AddressSpace representation for the GetCertificateGroups Method.

Table 34 – GetCertificateGroups Method AddressSpace Definition

Attribute

Value

BrowseName

GetCertificateGroups

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

GetTrustList is used to retrieve the NodeId of a Trust List assigned to an Application.

Signature

GetTrustList(

[in] NodeId applicationId

[in] NodeId certificateGroupId

[out] NodeId trustListId

);

Argument

Description

applicationId

The identifier assigned to the Application by the GDS.

certificateGroupId

An identifier for a Certificate Group that the Application belongs to.

trustListId

The NodeId for a Trust List Object that can be used to download the Trust List assigned to the Application.

Access permissions also apply to the Trust List Objects which are returned by this Method. This Trust List includes any Certificate Revocation Lists (CRLs) associated with issuer Certificates in the Trust List.

This Method can be invoked by a configuration tool which has provided user credentials with necessary access permissions. It can also be invoked by the Application identified by the applicationId (e.g. the private key used to create the channel shall be private key associated with the Certificate assigned to the Application).

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_NotFound

The applicationId does not refer to a registered Application.

Bad_InvalidArgument

The certificateGroupId parameter is not valid.

The text associated with the error shall indicate the exact problem.

Bad_UserAccessDenied

The current user does not have the rights required.

Table 35 specifies the AddressSpace representation for the GetTrustList Method.

Table 35 – GetTrustList Method AddressSpace Definition

Attribute

Value

BrowseName

GetTrustList

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

GetCertificateStatus is used to check if an Application needs to update its Certificate.

Signature

GetCertificateStatus(

[in] NodeId applicationId

[in] NodeId certificateGroupId

[in] NodeId certificateTypeId

[out] Boolean updateRequired

);

Argument

Description

applicationId

The identifier assigned to the Application Instance by the GDS.

certificateGroupId

The NodeId of the Certificate Group which provides the context.

If null the CertificateManager shall choose the DefaultApplicationGroup.

certificateTypeId

The NodeId of the CertificateType for the Certificate.

If null the CertificateManager shall select a Certificate based on the value of the certificateGroupId argument.

updateRequired

TRUE if the Application needs to request a new Certificate from the GDS.

FALSE if the Application can keep using the existing Certificate.

Access permissions that apply to CreateSigningRequest Method shall apply to this Method.

This Method can be invoked by a configuration tool which has provided user credentials with necessary access permissions. It can also be invoked by the Application identified by the applicationId (e.g. the private key used to create the channel shall be private key associated with the Certificate assigned to the Application).

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_NotFound

The applicationId does not refer to a registered Application.

Bad_InvalidArgument

The certificateGroupId or certificateTypeId parameter is not valid.

The text associated with the error shall indicate the exact problem.

Bad_UserAccessDenied

The current user does not have the rights required.

Table 36 specifies the AddressSpace representation for the GetCertificateStatus Method.

Table 36 – GetCertificateStatus Method AddressSpace Definition

Attribute

Value

BrowseName

GetCertificateStatus

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

RevokeCertificate is used to revoke a Certificate issued by the CertificateManager.

This Method requires an encrypted channel and that the Client provides credentials with administrative rights for the application which is having the credentials revoked.

Signature

RevokeCertificate (

[in] NodeId applicationId

[in] ByteString certificate

);

Argument

Description

applicationId

The identifier assigned to the Application by the CertificateManager.

certificate

The DER encoded Certificate to revoke.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_NotFound

The applicationId does not refer to a registered Application.

Bad_InvalidArgument

The certificate is not a Certificate for the specified Application that was issued by the CertificateManager.

Bad_UserAccessDenied

The current user does not have the rights required.

Table A specifies the AddressSpace representation for the RevokeCredential Method.

Table 16A – Revoke Method AddressSpace Definition

Attribute

Value

BrowseName

Revoke

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

This event is raised when a new certificate request has been accepted or rejected by the GDS.

This can be the result of a StartNewKeyPairRequest or StartSigningRequest Method calls.

Its representation in the AddressSpace is formally defined in Table 37.

Table 37 – CertificateRequestedAuditEventType Definition

Attribute

Value

BrowseName

CertificateRequestedAuditEventType

Namespace

GDS (see 3.3)

IsAbstract

True

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the AuditUpdateMethodEventType defined in OPC 10000-5.

HasProperty

Variable

CertificateGroup

NodeId

PropertyType

Mandatory

HasProperty

Variable

CertificateType

NodeId

PropertyType

Mandatory

This EventType inherits all Properties of the AuditUpdateMethodEventType. Their semantic is defined in OPC 10000-5.

The CertificateGroup Property specifies the Certificate Group that was affected by the update.

The CertificateType Property specifies the type of Certificate that was updated.

This event is raised when a certificate is delivered by the GDS to a Client.

This is the result of a FinishRequest Method completing successfully.

Its representation in the AddressSpace is formally defined in Table 38.

Table 38 – CertificateDeliveredAuditEventType Definition

Attribute

Value

BrowseName

CertificateDeliveredAuditEventType

Namespace

GDS (see 3.3)

IsAbstract

True

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the AuditUpdateMethodEventType defined in OPC 10000-5.

HasProperty

Variable

CertificateGroup

NodeId

PropertyType

Mandatory

HasProperty

Variable

CertificateType

NodeId

PropertyType

Mandatory

This EventType inherits all Properties of the AuditUpdateMethodEventType. Their semantic is defined in OPC 10000-5.

The CertificateGroup Property specifies the Certificate Group that was affected by the update.

The CertificateType Property specifies the type of Certificate that was updated.

If a Server supports Push Management it is required to support an information model as part of its address space. It shall support the ServerConfiguration Object shown in Figure 15. This Object shall only be visible and accessible to administrators and/or the GDS.

image018.png

Figure 15 – The AddressSpace for the Server that supports Push Management

All access to Methods defined on the ServerConfiguration Object shall be over an encrypted channel. In addition, Servers should have user credentials with administrator privileges.

This Object allows access to the Server’s configuration and it is the target of an HasComponent reference from the Server Object defined in OPC 10000-5.

This Object and its immediate children shall be visible (i.e. browse access is available) to users who can access the Server Object. The children of the CertificateGroups Object should only be visible to authorized administrators.

Its representation in the AddressSpace is formally defined in Table 39.

Table 39 – ServerConfiguration Object Definition

Attribute

Value

BrowseName

ServerConfiguration

Namespace

CORE (see 3.3)

TypeDefinition

ServerConfigurationType defined in 7.7.3.

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

This type defines an ObjectType which represents the configuration of a Server which supports Push Management . Its values are defined in Table 40. There is always exactly one instance in the Server AddressSpace.

Table 40 – ServerConfigurationType Definition

Attribute

Value

BrowseName

ServerConfigurationType

Namespace

CORE (see 3.3)

IsAbstract

False

References

NodeClass

BrowseName

DataType

Type

Definition

Modelling Rule

Subtype of the BaseObjectType defined in OPC 10000-5.

HasComponent

Object

CertificateGroups

CertificateGroup

FolderType

Mandatory

HasProperty

Variable

ServerCapabilities

String[]

PropertyType

Mandatory

HasProperty

Variable

SupportedPrivateKeyFormats

String[]

PropertyType

Mandatory

HasProperty

Variable

MaxTrustListSize

UInt32

PropertyType

Mandatory

HasProperty

Variable

MulticastDnsEnabled

Boolean

PropertyType

Mandatory

HasComponent

Method

UpdateCertificate

See 7.7.4

Mandatory

HasComponent

Method

ApplyChanges

See 7.7.5.

Mandatory

HasComponent

Method

CreateSigningRequest

See 7.7.6.

Mandatory

HasComponent

Method

GetRejectedList

See 7.7.7.

Mandatory

The CertificateGroups Object organizes the Certificate Groups supported by the Server. It is described in 7.5.17. Servers shall support the DefaultApplicationGroup and may support the DefaultHttpsGroup or the DefaultUserTokenGroup. Servers may support additional Certificate Groups depending on their requirements. For example, a Server with two network interfaces should have a different Trust List for each interface. The second Trust List would be represented as a new CertificateGroupType Object organized by CertificateGroups Folder.

The ServerCapabilities Property specifies the capabilities from Annex D which the Server supports. The value is the same as the value reported to the LocalDiscoveryServer when the Server calls the RegisterServer2 Service.

The SupportedPrivateKeyFormats specifies the PrivateKey formats supported by the Server. Possible values include “PEM” (see RFC 5958) or “PFX” (see PKCS #12). The array is empty if the Server does not allow external Clients to update the PrivateKey.

The MaxTrustListSize is the maximum size of the Trust List in bytes. 0 means no limit. The default is 65 535 bytes.

If MulticastDnsEnabled is TRUE then the Server announces itself using multicast DNS. It can be changed by writing to the Variable.

The GetRejectedList Method returns the list of Certificates which have been rejected by the Server. It can be used to track activity or allow administrators to move a rejected Certificate into the Trust List.

The UpdateCertificate Method is used to update a Certificate.

The ApplyChanges Method is used to apply any security related changes if the Server sets the applyChangesRequired flag when another Method is called. Servers should minimize the impact of applying the new configuration, however, it could require that all existing Sessions be closed and re-opened by the Clients.

The CreateSigningRequest Method asks the Server to create a PKCS #10 encoded Certificate Request that is signed with the Server’s private key.

UpdateCertificate is used to update a Certificate for a Server.

There are the following three use cases for this Method:

The Server shall do all normal integrity checks on the Certificate and all of the issuer Certificates. If errors occur the Bad_SecurityChecksFailed error is returned.

The Server shall report an error if the public key does not match the existing Certificate and the privateKey was not provided.

If the Server returns applyChangesRequired =FALSE then it is indicating that it is able to satisfy the requirements specified for the ApplyChanges Method.

This Method requires an encrypted channel and that the Client provides credentials with administrative rights on the Server.

Signature

UpdateCertificate(

[in] NodeId certificateGroupId

[in] NodeId certificateTypeId

[in] ByteString certificate

[in] ByteString[] issuerCertificates

[in] String privateKeyFormat

[in] ByteString privateKey

[out] Boolean applyChangesRequired

);

Argument

Description

certificateGroupId

The NodeId of the Certificate Group Object which is affected by the update.

If null the DefaultApplicationGroup is used.

certificateTypeId

The type of Certificate being updated. The set of permitted types is specified by the CertificateTypes Property belonging to the Certificate Group.

certificate

The DER encoded Certificate which replaces the existing Certificate.

issuerCertificates

The issuer Certificates needed to verify the signature on the new Certificate.

privateKeyFormat

The format of the Private Key (PEM or PFX). If the privateKey is not specified the privateKeyFormat is null or empty.

privateKey

The Private Key encoded in the privateKeyFormat.

applyChangesRequired

Indicates that the ApplyChanges Method shall be called before the new Certificate will be used.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_InvalidArgument

The certificateTypeId or certificateGroupId is not valid.

Bad_CertificateInvalid

The Certificate is invalid or the format is not supported.

Bad_NotSupported

The PrivateKey is invalid or the format is not supported.

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_SecurityChecksFailed

Some failure occurred verifying the integrity of the Certificate.

Table 41 specifies the AddressSpace representation for the UpdateCertificate Method.

Table 41 – UpdateCertificate Method AddressSpace Definition

Attribute

Value

BrowseName

UpdateCertificate

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

ApplyChanges is used to tell the Server to apply any security changes.

This Method should only be called if a previous call to a Method that changed the configuration returns applyChangesRequired=true (see 7.7.4).

If the Server Certificate has changed, Secure Channels using the old Certificate will eventually be interrupted. The only leeway the Server has is with the timing. In the best case, the Server can close the TransportConnections for the affected Endpoints and leave any Subscriptions intact. This should appear no different than a network interruption from the perspective of the Client. The Client should be prepared to deal with Certificate changes during its reconnect logic. In the worst case, a full shutdown which affects all connected Clients will be necessary. In the latter case, the Server shall advertise its intent to interrupt connections by setting the SecondsTillShutdown and ShutdownReason Properties in the ServerStatus Variable.

If the Secure Channel being used to call this Method will be affected by the Certificate change then the Server shall introduce a delay long enough to allow the caller to receive a reply.

This Method requires an encrypted channel and that the Client provide credentials with administrative rights on the Server.

Signature

ApplyChanges();

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Table 42 specifies the AddressSpace representation for the ApplyChanges Method.

Table 42 – ApplyChanges Method AddressSpace Definition

Attribute

Value

BrowseName

ApplyChanges

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

CreateSigningRequest Method asks the Server to create a PKCS #10 DER encoded Certificate Request that is signed with the Server’s private key. This request can be then used to request a Certificate from a CA that expects requests in this format.

This Method requires an encrypted channel and that the Client provide credentials with administrative rights on the Server.

Signature

CreateSigningRequest(

[in]NodeId certificateGroupId,

[in]NodeId certificateTypeId,

[in]String subjectName,

[in]Boolean regeneratePrivateKey,

[in]ByteString nonce,

[out]ByteString certificateRequest

);

Argument

Description

certificateGroupId

The NodeId of the Certificate Group Object which is affected by the request.

If null the DefaultApplicationGroup is used.

certificateTypeId

The type of Certificate being requested. The set of permitted types is specified by the CertificateTypes Property belonging to the Certificate Group.

subjectName

The subject name to use in the Certificate Request.

If not specified the SubjectName from the current Certificate is used.

The format of the subjectName is defined in 7.6.4.

regeneratePrivateKey

If TRUE the Server shall create a new Private Key which it stores until the matching signed Certificate is uploaded with the UpdateCertificate Method. Previously created Private Keys may be discarded if UpdateCertificate was not called before calling this method again. If FALSE the Server uses its existing Private Key.

nonce

Additional entropy which the caller shall provide if regeneratePrivateKey is TRUE. It shall be at least 32 bytes long.

certificateRequest

The PKCS #10 DER encoded Certificate Request.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_InvalidArgument

The certificateTypeId, certificateGroupId or subjectName is not valid.

Bad_UserAccessDenied

The current user does not have the rights required.

Table 43 specifies the AddressSpace representation for the CreateSigningRequest Method.

Table 43 – CreateSigningRequest Method AddressSpace Definition

Attribute

Value

BrowseName

CreateSigningRequest

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

InputArguments

Argument[]

PropertyType

Mandatory

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

GetRejectedList Method returns the list of Certificates that have been rejected by the Server.

No rules are defined for how the Server updates this list or how long a Certificate is kept in the list. It is recommended that every valid but untrusted Certificate be added to the rejected list as long as storage is available. Servers should omit older entries from the list returned if the maximum message size is not large enough to allow the entire list to be returned.

This Method requires an encrypted channel and that the Client provides credentials with administrative rights on the Server.

Signature

GetRejectedList(

[out] ByteString[] certificates

);

Argument

Description

certificates

The DER encoded form of the Certificates rejected by the Server.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Table 44 specifies the AddressSpace representation for the GetRejectedList Method.

Table 44 – GetRejectedList Method AddressSpace Definition

Attribute

Value

BrowseName

GetRejectedList

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

HasProperty

Variable

OutputArguments

Argument[]

PropertyType

Mandatory

This event is raised when the Application Certificate is changed.

This is the result of a UpdateCertificate Method completing successfully or failing.

Its representation in the AddressSpace is formally defined in Table 45.

Table 45 – CertificateUpdatedAuditEventType Definition

Attribute

Value

BrowseName

CertificateUpdatedAuditEventType

Namespace

CORE (see 3.3)

IsAbstract

True

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

Subtype of the AuditUpdateMethodEventType defined in OPC 10000-5.

HasProperty

Variable

CertificateGroup

NodeId

PropertyType

Mandatory

HasProperty

Variable

CertificateType

NodeId

PropertyType

Mandatory

This EventType inherits all Properties of the AuditUpdateMethodEventType. Their semantic is defined in OPC 10000-5.

The CertificateGroup Property specifies the Certificate Group that was affected by the update.

The CertificateType Property specifies the type of Certificate that was updated.