In EST a web operation returns the CA certificates. In OPC UA the CA Certificates are returned when the CertificateManager client reads the TrustList assigned to the application from the CertificateManager. Prior to these operations the Client should verify that the server is authorized to provide CAs. Table 122 compares how EST clients verify the EST server with how CertificateManager clients verify a CertificateManager.
Table 122 – Verifying that a Server is allowed to Provide Certificates
EST |
OPC UA |
Compare the URL for the EST server with the HTTPS certificate returned in the TLS handshake. |
Compare the URL for the CertificateManager with the OPC UA Certificate returned in GetEndpoints. |
Preconfigure the client to trust the EST Server’s HTTPS certificate. |
Preconfigure the client by adding the CertificateManager Certificate to the client TrustList. |
Manual approval of the CA Certificate after comparing the certificate with out of band information. |
Manual approval of the CertificateManager Certificate after comparing the Certificate with out of band information. |
Pre-shared credentials for use with certificate-less TLS. |
No equivalent. |