Figure 15 illustrates the use of TrustAnchor capabilities integrated in the Pull Management process for provisioning of Application Instance (cf. OPC 10000-21 7.2, Figure 5; https://reference.opcfoundation.org/Onboarding/v105/docs/7.2).

• Establish OPC UA Secure Channel DCA – Registrar/GDS. Details on how to establish a secure channel using an existing personality are described in 5.5.
• Create personality for Application Instance
• Generate private key (gta_personality_create())
• Sign proof-of-possession on CSR (gta_personality_enroll())
• Write end-entity certificate (gta_personality_add_attribute())
• Protect TrustList for Application PKI domain (gta_authenticate_data_detached())

Figure 15 – Provisioning of Application Instance (Pull Management)

Provisioning of an Application Instance using Push Management works accordingly. The interactions between DCA application and GTA API are not affected by using either Push or Pull Management.