CreateSigningRequest Method asks the Server to create a PKCS #10 DER encoded Certificate Request that is signed with the Server’s private key. This request can be then used to request a Certificate from a CA that expects requests in this format.

Servers shall support one active and one new key pair for each combination of certificateGroupId and certificateTypeId. If this Method is called multiple times with the same certificateGroupId and certificateTypeId then any previously generated new key pair, that has not been made active, is discarded. If a key pair is made active by a call to UpdateCertificate then the previously active key pair is deleted.

This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2).

Signature

CreateSigningRequest(

[in]NodeId certificateGroupId

[in]NodeId certificateTypeId

[in]String subjectName

[in]Boolean regeneratePrivateKey

[in]ByteString nonce

[out]ByteString certificateRequest

);

Argument

Description

certificateGroupId

The NodeId of the Certificate Group Object which is affected by the request.

If null the DefaultApplicationGroup is used.

certificateTypeId

The type of Certificate being requested. The set of permitted types is specified by the CertificateTypes Property belonging to the Certificate Group.

subjectName

The subject name to use in the Certificate Request.

If not specified the SubjectName from the current Certificate is used.

The format of the subjectName is defined in 7.9.4.

regeneratePrivateKey

If TRUE the Server shall create a new Private Key which it stores until the matching signed Certificate is uploaded with the UpdateCertificate Method. Previously created Private Keys may be discarded if UpdateCertificate was not called before calling this method again. If FALSE the Server uses its existing Private Key.

nonce

Additional entropy which the caller shall provide if regeneratePrivateKey is TRUE. It shall be at least 32 bytes long.

certificateRequest

The PKCS #10 DER encoded Certificate Request.

If the CertificateRequest is for an ApplicationInstance Certificate then it shall include all fields required by OPC 10000-6 such as the subjectAltName.

Method Result Codes (defined in Call Service)

Result Code

Description

Bad_InvalidArgument

One or more of the certificateTypeId, certificateGroupId, nonce, or subjectName paremeters is not valid.

Bad_UserAccessDenied

The current user does not have the rights required.

Table 68 specifies the AddressSpace representation for the CreateSigningRequest Method.

Table 68 – CreateSigningRequest Method AddressSpace Definition

Attribute

Value

BrowseName

0:CreateSigningRequest

References

NodeClass

BrowseName

DataType

TypeDefinition

ModellingRule

0:HasProperty

Variable

0:InputArguments

0:Argument[]

0:PropertyType

Mandatory

0:HasProperty

Variable

0:OutputArguments

0:Argument[]

0:PropertyType

Mandatory