In this workflow the OPC UA Applicationthat gets Certificatesfrom the CertificateManager is the Clientthat executes the workflow and the CertificateManager is the Serverprocessing the request in the workflow.

The Applicationis authenticated with the Certificatesigned by the CertificateManager(or the Certificateassigned during registration). The UserTokenTypeis always Anonymoususing the ApplicationSelfAdmin Privilege.

The workflow for PullManagementis shown in Figure 16and the steps are described in Table 21. The two options for the key pair creation are described in Figure 17. The boxes with blue textindicate Method calls.


Figure 16– Certificate Pull Management Workflow


Figure 17– The Pull Management Private Key Options

The steps of the PullManagementworkflow are described in detail in Table 21.

Table 21– Certificate Pull Management Workflow Steps



Certificate management begin options

The following options are possible to start thePullManagement.

  1. Continue application setup using the Sessionavailable from the application registration workflow described in 6.5.
  2. Cyclic check of the application status using a new connection to the CertificateManager. The cycle time is defined by the UpdateFrequencyon the related TrustList Objectin the CertificateManager.


Create a connection for option (2). For the connection management with the CertificateManagerthe Services OpenSecureChannel, CreateSessionand ActivateSessionare used to create a connection with MessageSecurityMode SignAndEncryptand an Anonymoususer.

Applicationauthentication is used by the CertificateManagerto allow OPC UA Applicationsto access the necessary resources to update themselves using the ApplicationSelfAdmin Privilege.

Required information

The OPC UA Applicationneeds to know the following information to execute the PullManagementworkflow


If one or more signing requests are pending for a CertificateGroup, the FinishRequest Methodis called directly with the ApplicationIdand the RequestIdfor the pending signing request. The repeat count is set to 0 in this case.


The Method GetCertificateStatusis called with the ApplicationIdand the CertificateGroupIdto check if a certificate update is needed. This is repeated for each CertificateTypeneeded for the CertificateGroup.

Update Required

If GetCertificateStatusreturns updateRequired set to True for one or more combinations of CertificateGroupand CertificateType, the process for key pair creationis started for the affected combinations.

Create CSR

The application creates a certificate signing request (CSR). It is strongly recommended, that the OPC UA Application creates a new private key for each signing request.


The Method StartSigningRequestis called for each CertificateGroupand CertificateTypetogether with the CSR to request a signed Certificatefrom the CertificateManager. Each Methodcall needs it’s own CSR.

As alternative for OPC UA Applications who do not have access to a cryptograhically sufficient entropy source, the Method StartNewKeyPairRequestcan be used. In this case the private key is created by the CertificateManager.

Both Methods return a RequestIdthat can be passed to the FinishRequest Method. The repeat count for FinishRequestis set to a small number like 2.


The Method FinishRequestis called to check the results of a previous StartSigningRequestor StartNewKeyPairRequest.

The following results are possible:


If all Certificatesfor a CertificateGroupare up-to-date, the trust list is checked for updates by calling the Method GetTrustList. The Method returns the NodeIdof the TrustList Objectfor the CertificateGroup. The LastUpdateTimeof TrustList Objectindicates when the contents of the TrustListchanged. When using PullManagement, the Clientshould check this Propertybefore downloading the TrustList.


The NodeIdof the TrustList Objectreturned by GetTrustListis used to open the TrustListfor reading and to read the current content of the TrustList.

Persist TrustList

If a TrustListupdate or Certificateupdates are available, they are persisted for further use by the OPC UA Application. They must be persisted at the same time to ensure a consistent setup.

Repeat for all CertificateGroups

Repeat the process for all CertificateGroups.


Disconnect from CertificateManager.