This ObjectType is the TypeDefinition for the root of the CertificateManager AddressSpace. It provides additional Methods for Certificate management which are shown in Table 51.

Table 51 – CertificateDirectoryType ObjectType Definition

Attribute

Value

BrowseName

2:CertificateDirectoryType

IsAbstract

False

References

NodeClass

BrowseName

DataType

TypeDefinition

Modelling Rule

Subtype of the 2:DirectoryType defined in 6.6.3.

0:Organizes

Object

2:CertificateGroups

0:CertificateGroup

FolderType

Mandatory

0:HasComponent

Method

2:StartSigningRequest

Defined in 7.9.3.

Mandatory

0:HasComponent

Method

2:StartNewKeyPairRequest

Defined in 7.9.4.

Mandatory

0:HasComponent

Method

2:FinishRequest

Defined in 7.9.5.

Mandatory

0:HasComponent

Method

2:RevokeCertificate

Defined in 7.9.6.

Optional

0:HasComponent

Method

2:GetCertificateGroups

Defined in 7.9.7.

Mandatory

0:HasComponent

Method

2:GetCertificates

Defined in 7.9.8.

Optional

0:HasComponent

Method

2:GetTrustList

Defined in 7.9.9.

Mandatory

0:HasComponent

Method

2:GetCertificateStatus

Defined in 7.9.10.

Mandatory

0:HasComponent

Method

2:CheckRevocationStatus

Defined in 7.9.11.

Optional

Conformance Units

GDS Certificate Manager Pull Model

The CertificateGroups Object organizes the CertificateGroups supported by the CertificateManager. It is described in 7.8.4.6. CertificateManagers shall support the DefaultApplicationGroup and may support the DefaultHttpsGroup or the DefaultUserTokenGroup. CertificateManagers may support additional CertificateGroups depending on their requirements. For example, a CertificateManager with multiple Certificate Authorities would represent each as a CertificateGroupType Object organized by CertificateGroups Folder. Clients could then request Certificates issued by a specific CA by passing the appropriate NodeId to the StartSigningRequest or StartNewKeyPairRequest Methods.

CertificateGroups assigned by the CertificateManager to specific applications are persisted by PullManagement Clients. These Clients use the NodeIds to relate their local configuration to the CertificateGroup in the CertificateManager.

The StartSigningRequest Method is used to request a new a Certificate that is signed by a CA managed by the CertificateManager. This Method is recommended when the caller already has a private key.

The StartNewKeyPairRequest Method is used to request a new Certificate that is signed by a CA managed by the CertificateManager along with a new private key. This Method is used only when the caller does not have a private key and cannot generate one.

The FinishRequest Method is used to check that a Certificate request has been approved by an entity with access to the RegistrationAuthorityAdmin Role. If successful the Certificate and Private Key (if requested) are returned.

The GetCertificateGroups Method returns a list of NodeIds for CertificateGroupType Objects that can be used to request Certificates or Trust Lists for an Application.

The GetCertificates Method returns a list of Certificates assigned to the Application for a CertificateGroup.

The GetTrustList Method returns a NodeId of a TrustListType Object that belongs to a CertificateGroup assigned to an Application.

The GetCertificateStatus Method checks whether the Application needs to update the Certificate identified in the call.

The CheckRevocationStatus Method checks the revocation status of a Certificate.