KeyCredential management functions allow the management and distribution of KeyCredentialswhich OPC UA Applicationsuse to access AuthorizationServicesand/or Brokers. An application that provides the KeyCredential management functions is called a KeyCredentialServiceand is typically combined with the GDS into a single application.

There are two primary models for KeyCredential management: pull and PushManagement. In PullManagement, the application acts as a Clientand uses the Methodson the KeyCredentialServiceto request and update KeyCredentials. The application is responsible for ensuring the KeyCredentials are kept up to date. In PushManagementthe application acts as a Serverand exposes Methodswhich the KeyCredentialServicecan call to update the KeyCredentials as required.

A KeyCredentialServicecan directly manage the KeyCredentialsit supplies or it may act as an intermediary between a Clientand a system that does not support OPC UA such as Azure AD or LDAP.

Note that KeyCredentialsare secrets that are directly passed to AuthorizationServicesand/or Brokersand are not Certificateswith private keys. Certificatedistribution is managed by the Certificatemanagement model described in 7. For example, AuthorizationServices that support OAuth2 often require the client to provide a client_id and client_secret parameter with any request. The KeyCredentialsare the values that the application shall place in these parameters.