A recommended directory layout for Applications that store their Certificates on a file system is shown in Table 121. The Local Discovery Server shall use this structure.
This structure is based on the rules defined in OPC 10000-6.
Table 121 – Application Certificate Store Directory Layout
Path |
Description |
<root> |
A descriptive name for the TrustList. |
|
|
<root>/own |
The Certificate store which contains private keys used by the application. |
<root>/own/certs |
Contains the X.509 v3 Certificates associated with the private keys in the ./private directory. |
<root>/own/private |
Contains the private keys used by the application. |
|
|
<root>/trusted |
The Certificate store which contains trusted Certificates. |
<root>/trusted/certs |
Contains the X.509 v3 Certificates which are trusted. |
<root>/trusted/crl |
Contains the X.509 v3 CRLs for any Certificates in the ./certs directory. |
|
|
<root>/issuer |
The Certificate store which contains the CA Certificates needed for validation. |
<root>/issuer/certs |
Contains the X.509 v3 Certificates which are needed for validation. |
<root>/issuer/crl |
Contains the X.509 v3 CRLs for any Certificates in the ./certs directory. |
|
|
<root>/rejected |
The Certificate store which contains certificates which have been rejected. |
<root>/rejected/certs |
Contains the X.509 v3 Certificates which have been rejected. |
All X.509 v3 certificates are stored in DER format and have a ‘.der’ extension on the file name.
All CRLs are stored in DER format and have a ‘.crl’ extension on the file name.
Private keys should be in PKCS #12 format with a ‘.pfx’ extension or in the OpenSSL PEM format. The OpenSSL PEM format is not formally defined and should only be used by applications which use the OpenSSL libraries to implement security. Other private key formats may exist.
The base name of the Private Key file shall be the same as the base file name for the matching Certificate file stored in the ./certs directory.
A recommended naming convention is:
<CommonName>-[<Algorithm>-<Thumbprint>].(der | pem | pfx)
Where the CommonName is the CommonName of the Certificate, the Algorithm is the key-pair algorithm and the Thumbprint is the CertificateDigest of the certificate formatted as a hexadecimal string.
The currently supported key-pair algorithms are: RSA, nistP256, nistP384, brainpoolP256r1, brainpoolP384r1, curve25519 and curve448.