This ObjectType is used for Objects which represent CertificateGroups in the AddressSpace. A CertificateGroup is a context that contains a TrustList and one or more CertificateTypes that can be assigned to an Application. This ObjectType allows an Application which has multiple TrustLists and/or ApplicationInstance Certificates to express them in its AddressSpace.

A CertificateManager can have many CertificateGroups which manage CertificateTypes and TrustLists for the applications in the system.

A Server has one or more CertificateGroups which specify the CertificateTypes and TrustLists managed by the Server. Typically, there is a mapping between a CertificateGroup in a Server and a CertificateGroup in the CertificateManager. The mechanisms for creating that mapping are outside the scope of this specification.

This type is defined in Table 36.

Table 36 – CertificateGroupType Definition

Attribute

Value

BrowseName

0:CertificateGroupType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the BaseObjectType defined in OPC 10000-5.

0:HasComponent

Object

0:TrustList

0:TrustListType

Mandatory

0:HasProperty

Variable

0:CertificateTypes

0:NodeId[]

0:PropertyType

Mandatory

0:HasComponent

Object

0:CertificateExpired

0:CertificateExpirationAlarmType

Optional

0:HasCondition

ObjectType

0:CertificateExpirationAlarmType

0:HasComponent

Object

0:TrustListOutOfDate

0:TrustListOutOfDateAlarmType

Optional

0:HasComponent

Method

0:GetRejectedList

Defined in 7.8.3.2.

Optional

Conformance Units

GDS Certificate Manager Pull Model

Push Model for Global Certificate and TrustList Management

The TrustList Object is the TrustList associated with the CertificateGroup.

The CertificateTypes Property specifies the NodeIds of the CertificateTypes which may be assigned to Applications which belong to the CertificateGroup. For example, a CertificateGroup with the NodeId of RsaMinApplicationCertificateType (see 7.8.4.4) and the NodeId RsaSha256ApplicationCertificate (see 7.8.4.5) specified allows an Application to have one Application Instance Certificates for each type. Abstract base types may be used in this value and indicate that any subtype is allowed. If this list is empty then the CertificateGroup does not allow Certificates to be assigned to Applications (i.e. a UserToken CertificateGroup only exists to allow the associated TrustList to be read or updated). All CertificateTypes for a given CertificateGroup shall be subtypes of a single common type which shall be either ApplicationCertificateType or HttpsCertificateType.

The CertificateExpired Object is an Alarm which is raised when a Certificate associated with the CertificateGroup is about to expire. If multiple Certificates are about to expiry an Alarm for each Certificate is raised. The CertificateExpirationAlarmType is defined in OPC 10000-9.

The TrustListOutOfDate Object is an Alarm which is raised when the TrustList has not been updated within the period specified by the UpdateFrequency (see 7.8.2.1). The TrustListOutOfDateAlarmType is defined in 7.8.2.9.

The GetRejectedList Method returns the list of Certificates that have been rejected by the Server when using the TrustList associated with the CertificateGroup. It can be used to track activity or allow administrators to move a rejected Certificate into the Trust List. This Method shall only be present on CertificateGroups which are part of the ServerConfiguration Object defined in 7.10.2.

GetRejectedList Method returns the list of Certificates that have been rejected by the Server.

No rules are defined for how the Server updates this list or how long a Certificate is kept in the list. It is recommended that every valid but untrusted Certificate be added to the rejected list as long as storage is available. Servers can delete entries from the list returned if the maximum message size is not large enough to allow the entire list to be returned.

Servers only add Certificates to this list that have no unsuppressed validation errors but are not trusted.

For PullManagement, this Method is not present on the CertificateGroup.

For PushManagement, this Method shall be called from an authenticated SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2).

Signature

GetRejectedList(

[out] ByteString[] certificates

);

Argument

Description

certificates

The DER encoded form of the Certificates rejected by the Server.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_UserAccessDenied

The current user does not have the rights required.

Table 37 specifies the AddressSpace representation for the GetRejectedList Method.

Table 37 – GetRejectedList Method AddressSpace Definition

Attribute

Value

BrowseName

0:GetRejectedList

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

0:HasProperty

Variable

0:OutputArguments

0:Argument[]

0:PropertyType

Mandatory

This type is used for Folders which organize Certificate Groups in the AddressSpace. This type is defined in Table 38.

Table 38 – CertificateGroupFolderType Definition

Attribute

Value

BrowseName

0:CertificateGroupFolderType

IsAbstract

False

References

Node

Class

BrowseName

Data

Type

TypeDefinition

Modelling Rule

Subtype of the FolderType defined in OPC 10000-5.

0:HasComponent

Object

0:DefaultApplicationGroup

0:CertificateGroupType

Mandatory

0:HasComponent

Object

0:DefaultHttpsGroup

0:CertificateGroupType

Optional

0:HasComponent

Object

0:DefaultUserTokenGroup

0:CertificateGroupType

Optional

0:Organizes

Object

0:<AdditionalGroup>

0:CertificateGroupType

OptionalPlaceholder

Conformance Units

GDS Certificate Manager Pull Model

Push Model for Global Certificate and TrustList Management

The DefaultApplicationGroup Object represents the default Certificate Group for Applications. It is used to access the default Application Trust List and to define the CertificateTypes allowed for the ApplicationInstanceCertificate. This Object shall specify the ApplicationCertificateType NodeId (see 7.8.4.2) as a single entry in the CertificateTypes list or it shall specify one or more subtypes of ApplicationCertificateType.

The DefaultHttpsGroup Object represents the default Certificate Group for HTTPS communication. It is used to access the default HTTPS Trust List and to define the CertificateTypes allowed for the HTTPS Certificate. This Object shall specify the HttpsCertificateType NodeId (see 7.8.4.3) as a single entry in the CertificateTypes list or it shall specify one or more subtypes of HttpsCertificateType.

This DefaultUserTokenGroup Object represents the default Certificate Group for validating user credentials. It is used to access the default user credential Trust List and to define the CertificateTypes allowed for user credentials Certificate. This Object shall leave CertificateTypes list empty.