UpdateCertificate is used to update a Certificate for a Server.
There are the following three use cases for this Method:
- The new Certificate was created based on a signing request created with the Method CreateSigningRequest defined in 7.10.8. In this case there is no privateKey provided.
- A new privateKey and Certificate was created outside the Server and both are updated with this Method.
- A new Certificate was created and signed with the information from the old Certificate. In this case there is no privateKey provided.
The Server shall follow the validation process defined in OPC 10000-4 on the Certificate and all of the issuer Certificates. If errors occur the Bad_SecurityChecksFailed error is returned. Note that the validation process requires that the TrustList associated with the CertificateGroup already contain the Issuer Certificates and their CRLs or that the issuers support online CRL checks.
The Server shall report an error if the public key does not match the existing Certificate and the PrivateKey was not provided.
If the Server returns applyChangesRequired =FALSE then it is indicating that it is able to satisfy the requirements specified for the ApplyChanges Method.
This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2).
Signature
UpdateCertificate(
[in] NodeId certificateGroupId
[in] NodeId certificateTypeId
[in] ByteString certificate
[in] ByteString[] issuerCertificates
[in] String privateKeyFormat
[in] ByteString privateKey
[out] Boolean applyChangesRequired
);
|
Argument |
Description |
|
certificateGroupId |
The NodeId of the Certificate Group Object which is affected by the update. If null the DefaultApplicationGroup is used. |
|
certificateTypeId |
The type of Certificate being updated. The set of permitted types is specified by the CertificateTypes Property belonging to the Certificate Group. |
|
certificate |
The DER encoded Certificate which replaces the existing Certificate. |
|
issuerCertificates |
The issuer Certificates needed to verify the signature on the new Certificate. |
|
privateKeyFormat |
The format of the Private Key (PKCS #12 encoded and PKCS #8 Base64 encoded DER (see RFC 5958) ). If the privateKey is not specified the privateKeyFormat is null or empty. |
|
privateKey |
The Private Key encoded in the privateKeyFormat. |
|
applyChangesRequired |
Indicates that the ApplyChanges Method shall be called before the new Certificate will be used. |
Method Result Codes (defined in Call Service)
|
Result Code |
Description |
|
Bad_InvalidArgument |
The certificateTypeId or certificateGroupId is not valid. |
|
Bad_CertificateInvalid |
The Certificate is invalid or the format is not supported. |
|
Bad_NotSupported |
The PrivateKey is invalid or the format is not supported. |
|
Bad_UserAccessDenied |
The current user does not have the rights required. |
|
Bad_SecurityChecksFailed |
Some failure occurred verifying the integrity of the Certificate. |
|
Bad_TransactionPending |
There is already a transaction active for another session. |
|
Bad_SecurityModeInsufficient |
The SecureChannel is not encrypted. |
Table 65 specifies the AddressSpace representation for the UpdateCertificate Method.
Table 65 – UpdateCertificate Method AddressSpace Definition
|
Attribute |
Value |
||||
|
BrowseName |
0:UpdateCertificate |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
HasProperty |
Variable |
InputArguments |
Argument[] |
PropertyType |
Mandatory |
|
HasProperty |
Variable |
OutputArguments |
Argument[] |
PropertyType |
Mandatory |