StartSigningRequest is used to initiate a request to create a Certificate which uses the private key which the caller currently has. The new Certificate is returned in the FinishRequest response.

Signature

StartSigningRequest(

[in] NodeId applicationId

[in] NodeId certificateGroupId

[in] NodeId certificateTypeId

[in] ByteString certificateRequest

[out] NodeId requestId

);

Argument

Description

applicationId

The identifier assigned to the Application record by the CertificateManager.

certificateGroupId

The NodeId of the CertificateGroup which provides the context for the new request.

If null the CertificateManager shall choose the DefaultApplicationGroup.

certificateTypeId

The NodeId of the CertificateType for the new Certificate.

If null the CertificateManager shall generate a Certificate based on the value of the certificateGroupId argument.

certificateRequest

A CertificateRequest used to prove possession of the Private Key.

It is a PKCS #10 encoded blob in DER format.

If the CertificateRequest is for an ApplicationInstance Certificate then it shall include all fields required by OPC 10000-6 such as the subjectAltName.

requestId

The NodeId that represents the request.

This value is passed to FinishRequest .

The call returns the NodeId that is passed to the FinishRequest Method.

The certificateGroupId parameter allows the caller to specify a CertificateGroup that provides context for the request. If null the CertificateManager shall choose the DefaultApplicationGroup. If the Application does not currently belong to the requested CertificateGroup the CertificateManager shall verify that the Application is allowed to join the CertificateGroup and then, if permitted, add the Application to the CertificateGroup. The CertificateGroup verification and assignment may occur anytime before FinishRequest returns success.

The set of available CertificateGroups are found in the CertificateGroups folder described in 7.9.2. The CertificateGroups allowed for an Application are returned by the GetCertificateGroups Method (see 7.9.7).

The certificateTypeId parameter specifies the type of Certificate to return. The permitted values are specified by the CertificateTypes Property of the Object specified by the certificateGroupId parameter.

The certificateRequest parameter is a DER encoded CertificateRequest. The subject, subjectAltName and Public Key are copied into the new Certificate.

If the certificateTypeId is a subtype of ApplicationCertificateType the subject conforms to the requirements defined in OPC 10000-6. The public key length shall meet the length restrictions for the CertificateType. If the certificateType is a subtype of HttpsCertificateType the Certificate common name (CN=) shall be the same as a domain from a DiscoveryUrl which uses HTTPS and the subject shall have an organization (O=) field.

The ApplicationUri shall be specified in the CSR. The CertificateManager shall return Bad_CertificateUriInvalid if the stored ApplicationUri for the Application is different from what is in the CSR.

The subject in the CSR may be ignored by the CertificateManager. The CertificateManager may update the subject to comply with policy requirements and to ensure global uniqueness.

Any bits set in basicConstraints or extendedKeyUsage fields in the CSR are ignored by the CertificateManager. The CertificateManager uses values that are appropriate and compliant with the specification.

For Servers, the list of domain names shall be specified in the CSR. The domains shall include the domain(s) in the DiscoveryUrls known to the CertificateManager.

This Method shall be called from an encrypted SecureChannel and from a Session that has access to the CertificateAuthorityAdmin Role, the ApplicationAdmin Privilege, or the ApplicationSelfAdmin Privilege (see 7.2).

If auditing is supported, the CertificateManager shall generate the CertificateRequested AuditEventType (see 7.9.12) if this Method succeeds or fails.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_NotFound

The applicationId does not refer to a registered Application.

Bad_InvalidArgument

One or more of the certificateGroupId, certificateTypeId or certificateRequest arguments is not valid.

The text associated with the error shall indicate the exact problem.

Bad_UserAccessDenied

The current user does not have the rights required.

Bad_RequestNotAllowed

The current configuration of the CertificateManager does not allow the request.

The text associated with the error should indicate the exact reason.

Bad_CertificateUriInvalid

The ApplicationUri was not specified in the CSR or does not match the Application record.

Bad_NotSupported

The signing algorithm, public algorithm or public key size are not supported by the CertificateManager. The text associated with the error shall indicate the exact problem.

Table 52 specifies the AddressSpace representation for the StartSigningRequest Method.

Table 52 – StartSigningRequest Method AddressSpace Definition

Attribute

Value

BrowseName

2:StartSigningRequest

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

0:HasProperty

Variable

0:InputArguments

0:Argument[]

0:PropertyType

Mandatory

0:HasProperty

Variable

0:OutputArguments

0:Argument[]

0:PropertyType

Mandatory