CreateSigningRequest Method asks the Server to create a PKCS #10 DER encoded Certificate Request that is signed with the Server’s private key. This request can be then used to request a Certificate from a CA that expects requests in this format.
Servers shall support one active and one new key pair for each combination of certificateGroupId and certificateTypeId. If this Method is called multiple times with the same certificateGroupId and certificateTypeId then any previously generated new key pair, that has not been made active, is discarded. If a key pair is made active by a call to UpdateCertificate then the previously active key pair is deleted.
This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2).
Signature
CreateSigningRequest(
[in]NodeId certificateGroupId
[in]NodeId certificateTypeId
[in]String subjectName
[in]Boolean regeneratePrivateKey
[in]ByteString nonce
[out]ByteString certificateRequest
);
|
Argument |
Description |
|
certificateGroupId |
The NodeId of the Certificate Group Object which is affected by the request. If null the DefaultApplicationGroup is used. |
|
certificateTypeId |
The type of Certificate being requested. The set of permitted types is specified by the CertificateTypes Property belonging to the Certificate Group. |
|
subjectName |
The subject name to use in the Certificate Request. If not specified the SubjectName from the current Certificate is used. The format of the subjectName is defined in 7.9.4. |
|
regeneratePrivateKey |
If TRUE the Server shall create a new Private Key which it stores until the matching signed Certificate is uploaded with the UpdateCertificate Method. Previously created Private Keys may be discarded if UpdateCertificate was not called before calling this method again. If FALSE the Server uses its existing Private Key. |
|
nonce |
Additional entropy which the caller shall provide if regeneratePrivateKey is TRUE. It shall be at least 32 bytes long. |
|
certificateRequest |
The PKCS #10 DER encoded Certificate Request. If the CertificateRequest is for an ApplicationInstance Certificate then it shall include all fields required by OPC 10000-6 such as the subjectAltName. |
Method Result Codes (defined in Call Service)
|
Result Code |
Description |
|
Bad_InvalidArgument |
One or more of the certificateTypeId, certificateGroupId, nonce, or subjectName paremeters is not valid. |
|
Bad_UserAccessDenied |
The current user does not have the rights required. |
Table 68 specifies the AddressSpace representation for the CreateSigningRequest Method.
Table 68 – CreateSigningRequest Method AddressSpace Definition
|
Attribute |
Value |
||||
|
BrowseName |
0:CreateSigningRequest |
||||
|
References |
NodeClass |
BrowseName |
DataType |
TypeDefinition |
ModellingRule |
|
0:HasProperty |
Variable |
0:InputArguments |
0:Argument[] |
0:PropertyType |
Mandatory |
|
0:HasProperty |
Variable |
0:OutputArguments |
0:Argument[] |
0:PropertyType |
Mandatory |