This ObjectType is used for Objects which represent CertificateGroups in the AddressSpace. A CertificateGroup is a context that contains a TrustList and one or more CertificateTypes that can be assigned to an Application. This ObjectType allows an Application which has multiple TrustLists and/or ApplicationInstance Certificates to express them in its AddressSpace.
A CertificateManager can have many CertificateGroups which manage CertificateTypes and TrustLists for the applications in the system.
A Server has one or more CertificateGroups which specify the CertificateTypes and TrustLists managed by the Server. Typically, there is a mapping between a CertificateGroup in a Server and a CertificateGroup in the CertificateManager. The mechanisms for creating that mapping are outside the scope of this specification.
This type is defined in Table 36.
Table 36 – CertificateGroupType Definition
|
Attribute |
Value |
|||||
|
BrowseName |
0:CertificateGroupType |
|||||
|
IsAbstract |
False |
|||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
Modelling Rule |
|
|
Subtype of the BaseObjectType defined in OPC 10000-5. |
||||||
|
|
||||||
|
0:HasComponent |
Object |
0:TrustList |
|
0:TrustListType |
Mandatory |
|
|
0:HasProperty |
Variable |
0:CertificateTypes |
0:NodeId[] |
0:PropertyType |
Mandatory |
|
|
0:HasComponent |
Object |
0:CertificateExpired |
|
0:CertificateExpirationAlarmType |
Optional |
|
|
0:HasCondition |
ObjectType |
0:CertificateExpirationAlarmType |
|
|
|
|
|
0:HasComponent |
Object |
0:TrustListOutOfDate |
|
0:TrustListOutOfDateAlarmType |
Optional |
|
|
0:HasComponent |
Method |
0:GetRejectedList |
Defined in 7.8.3.2. |
Optional |
||
|
|
||||||
|
Conformance Units |
||||||
|
GDS Certificate Manager Pull Model |
||||||
|
Push Model for Global Certificate and TrustList Management |
||||||
The TrustList Object is the TrustList associated with the CertificateGroup.
The CertificateTypes Property specifies the NodeIds of the CertificateTypes which may be assigned to Applications which belong to the CertificateGroup. For example, a CertificateGroup with the NodeId of RsaMinApplicationCertificateType (see 7.8.4.4) and the NodeId RsaSha256ApplicationCertificate (see 7.8.4.5) specified allows an Application to have one Application Instance Certificates for each type. Abstract base types may be used in this value and indicate that any subtype is allowed. If this list is empty then the CertificateGroup does not allow Certificates to be assigned to Applications (i.e. a UserToken CertificateGroup only exists to allow the associated TrustList to be read or updated). All CertificateTypes for a given CertificateGroup shall be subtypes of a single common type which shall be either ApplicationCertificateType or HttpsCertificateType.
The CertificateExpired Object is an Alarm which is raised when a Certificate associated with the CertificateGroup is about to expire. If multiple Certificates are about to expiry an Alarm for each Certificate is raised. The CertificateExpirationAlarmType is defined in OPC 10000-9.
The TrustListOutOfDate Object is an Alarm which is raised when the TrustList has not been updated within the period specified by the UpdateFrequency (see 7.8.2.1). The TrustListOutOfDateAlarmType is defined in 7.8.2.9.
The GetRejectedList Method returns the list of Certificates that have been rejected by the Server when using the TrustList associated with the CertificateGroup. It can be used to track activity or allow administrators to move a rejected Certificate into the Trust List. This Method shall only be present on CertificateGroups which are part of the ServerConfiguration Object defined in 7.10.2.