A recommended directory layout for Applications that store their Certificates on a file system is shown in Table 121. The Local Discovery Server shall use this structure.
This structure is based on the rules defined in OPC 10000-6.
Table 121 – Application Certificate Store Directory Layout
Path |
Description |
<root> |
A descriptive name for the TrustList. |
|
|
<root>/own |
The Certificate store which contains private keys used by the application. |
<root>/own/certs |
Contains the X.509 v3 Certificates associated with the private keys in the ./private directory. |
<root>/own/private |
Contains the private keys used by the application. |
|
|
<root>/trusted |
The Certificate store which contains trusted Certificates. |
<root>/trusted/certs |
Contains the X.509 v3 Certificates which are trusted. |
<root>/trusted/crl |
Contains the X.509 v3 CRLs for any Certificates in the ./certs directory. |
|
|
<root>/issuer |
The Certificate store which contains the CA Certificates needed for validation. |
<root>/issuer/certs |
Contains the X.509 v3 Certificates which are needed for validation. |
<root>/issuer/crl |
Contains the X.509 v3 CRLs for any Certificates in the ./certs directory. |
|
|
<root>/rejected |
The Certificate store which contains certificates which have been rejected. |
<root>/rejected/certs |
Contains the X.509 v3 Certificates which have been rejected. |
All X.509 v3 certificates are stored in DER format and have a ‘.der’ extension on the file name.
All CRLs are stored in DER format and have a ‘.crl’ extension on the file name.
Private keys should be in PKCS #12 format with a ‘.pfx’ extension or in the OpenSSL PEM format. The OpenSSL PEM format is not formally defined and should only be used by applications which use the OpenSSL libraries to implement security. Other private key formats may exist.
The base name of the Private Key file shall be the same as the base file name for the matching Certificate file stored in the ./certs directory.
A recommended naming convention is:
<CommonName>-[<Algorithm>-<Thumbprint>].(der | pem | pfx)
Where the CommonName is the CommonName of the Certificate, the Algorithm is the key-pair algorithm and the Thumbprint is the CertificateDigest of the certificate formatted as a hexadecimal string.
The currently supported key-pair algorithms are: RSA, nistP256, nistP384, brainpoolP256r1, brainpoolP384r1, curve25519 and curve448.
The LocalDiscoveryServer executable shall be installed in the following location:
%CommonProgramFiles%\OPC Foundation\UA\Discovery
where %CommonProgramFiles% is the value of the CommonProgramFiles environment variable on 32-bit systems. On 64-bit systems the value of the CommonProgramFiles(x86) environment variable is used instead.
The configuration files used by the LocalDiscoveryServer executable shall be installed in the following location:
%CommonApplicationData%\OPC Foundation\UA\Discovery
where %CommonApplicationData% is the location of the application data folder shared by all users. The exact location depends on the operating system, however, under Windows 7 or later the common application data folder is usually C:\ProgramData.
The certificates stores used by the LocalDiscoveryServer shall be organized as described in F.1. The root of the certificates stores shall be in the following location:
%CommonApplicationData%\OPC Foundation\UA\pki