UpdateCertificate is used to update a Certificate.
There are the following two use cases for this Method:
- The PrivateKey is already known to the Server (i.e. it was created with the CreateSigningRequest (see 7.10.10) or CreateSelfSignedCertificate (see 7.10.6) Method).
- The PrivateKey was created outside the Server and is updated with this Method.
The Server shall follow the validation process defined in OPC 10000-4 on the Certificate and all of the issuer Certificates. Note that the validation process requires that the TrustList associated with the CertificateGroup already contain the Issuer Certificates and any CRLs or that the issuers support online CRL checks. This Method may be called within the context of an ApplicationConfiguration Object (see 7.10.3) which means the Certificate may be used by a Client or a non-OPC UA application. Not all of the steps in the validation process will apply.
The Server shall report an error if the PublicKey does not match the existing Certificate and the PrivateKey was not provided.
If the Server returns applyChangesRequired =FALSE then it is indicating that it is able to satisfy the requirements specified for the ApplyChanges Method.
This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2).
Signature
UpdateCertificate(
[in] NodeId certificateGroupId
[in] NodeId certificateTypeId
[in] ByteString certificate
[in] ByteString[] issuerCertificates
[in] String privateKeyFormat
[in] ByteString privateKey
[out] Boolean applyChangesRequired
);
Argument |
Description |
certificateGroupId |
The NodeId of the CertificateGroup Object which is affected by the update. If null the DefaultApplicationGroup is used. |
certificateTypeId |
The type of Certificate being updated. The set of permitted types is specified by the CertificateTypes Property belonging to the CertificateGroup. |
certificate |
The DER encoded Certificate which replaces the existing Certificate. |
issuerCertificates |
The issuer Certificates needed to verify the signature on the new Certificate. |
privateKeyFormat |
The format of the Private Key (PKCS #12 encoded and PKCS #8 Base64 encoded DER (see RFC 5958) ). If the privateKey is not specified the privateKeyFormat is null or empty. |
privateKey |
The Private Key encoded in the privateKeyFormat. |
applyChangesRequired |
Indicates that the ApplyChanges Method shall be called before the new Certificate will be used. |
Method Result Codes (defined in Call Service)
Result Code |
Description |
Bad_InvalidArgument |
The certificateTypeId or certificateGroupId is not valid. |
Bad_CertificateInvalid |
The Certificate is invalid or the format is not supported. |
Bad_NotSupported |
The PrivateKey is invalid or the format is not supported. |
Bad_UserAccessDenied |
The current user does not have the rights required. |
Bad_SecurityChecksFailed |
Some failure occurred verifying the integrity of the Certificate. |
Bad_TransactionPending |
There is already a transaction active for another session. |
Bad_SecurityModeInsufficient |
The SecureChannel is not encrypted. |
Table 89 specifies the AddressSpace representation for the UpdateCertificate Method.
Table 89 – UpdateCertificate Method AddressSpace Definition
Attribute |
Value |
||||
BrowseName |
0:UpdateCertificate |
||||
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
HasProperty |
Variable |
InputArguments |
Argument[] |
PropertyType |
Mandatory |
HasProperty |
Variable |
OutputArguments |
Argument[] |
PropertyType |
Mandatory |