A recommended directory layout for Applications that store their Certificates on a file system is shown in Table 118. The Local Discovery Server shall use this structure.

This structure is based on the rules defined in OPC 10000-6.

Table 118 – Application Certificate Store Directory Layout

Path

Description

<root>

A descriptive name for the trust list.

<root>/own

The Certificate store which contains private keys used by the application.

<root>/own/certs

Contains the X.509 v3 Certificates associated with the private keys in the ./private directory.

<root>/own/private

Contains the private keys used by the application.

<root>/trusted

The Certificate store which contains trusted Certificates.

<root>/trusted/certs

Contains the X.509 v3 Certificates which are trusted.

<root>/trusted/crl

Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.

<root>/issuer

The Certificate store which contains the CA Certificates needed for validation.

<root>/issuer/certs

Contains the X.509 v3 Certificates which are needed for validation.

<root>/issuer/crl

Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.

<root>/rejected

The Certificate store which contains certificates which have been rejected.

<root>/rejected/certs

Contains the X.509 v3 Certificates which have been rejected.

All X.509 v3 certificates are stored in DER format and have a ‘.der’ extension on the file name.

All CRLs are stored in DER format and have a ‘.crl’ extension on the file name.

Private keys should be in PKCS #12 format with a ‘.pfx’ extension or in the OpenSSL PEM format. The OpenSSL PEM format is not formally defined and should only be used by applications which use the OpenSSL libraries to implement security. Other private key formats may exist.

The base name of the Private Key file shall be the same as the base file name for the matching Certificate file stored in the ./certs directory.

A recommended naming convention is:

<CommonName>-[<Algorithm>-<Thumbprint>].(der | pem | pfx)

Where the CommonName is the CommonName of the Certificate, the Algorithm is the key-pair algorithm and the Thumbprint is the CertificateDigest of the certificate formatted as a hexadecimal string.

The currently supported key-pair algorithms are: RSA, nistP256, nistP384, brainpoolP256r1, brainpoolP384r1, curve25519 and curve448.