Generic Trust Anchor (GTA) API Profile

OPC 30300: Generic Trust Anchor (GTA) API Profile

Released 1.00

2026-01-23

This document is subject to the license terms described here.

The general OPC Foundation specification license agreement also applies and can be found here.

This document is a copy of the original which can be found here.

1 Scope 2 Normative references 3 Terms, abbreviated terms and conventions 3.1 Overview 3.2 SecureElements for OPC UA based on ISO/IEC TS 30168 terms 3.2.1 generic trust anchor application programming interface (GTA API) 3.2.2 Personality 3.2.3 Certificate 3.2.4 SecureElement (SE) 3.2.5 TrustAnchor 3.3 Abbreviated terms 4 General information to ISO/IEC TS 30168 (GTA API) and OPC UA 4.1 OPC UA Security Object Model 4.2 ISO/IEC TS 30168 Concepts and OPC UA 4.2.1 SecureElements 4.2.2 Identifiers and Personalities 4.2.3 GTA API and OPC UA object model mapping 4.3 GTA API object identification and naming conventions for OPC UA 4.3.1 General 4.3.2 Naming Conventions 4.3.2.1 GTA API identifiers 4.3.2.2 GTA API personalities 4.3.3 DeviceIdentity Personality 4.3.4 DCA Personality Set 4.3.5 Application Instance Personality Set 5 Use cases 5.1 General 5.2 Device onboarding 5.2.1 Preconditions 5.2.2 Selection of DeviceIdentity for onboarding 5.2.3 Provisioning of DCA’s Application Instance (Certificate) 5.2.3.1 Pull Management 5.2.3.2 Push Management 5.3 Update of DCA’s Application Instance (Certificate) 5.4 Provisioning of Application Instance 5.5 Use of Application Instance personality to establish a secure channel 5.5.1 Elliptic Curve Profiles 5.5.2 RSA Profiles 5.6 CreateSession and ActivateSession 5.6.1 Elliptic Curve Profiles 5.6.2 RSA Profiles 5.7 Rollback of device to “pre-onboarding” state 6 GTA API Profiles for OPC UA 6.1 ECC-nistP256 6.1.1 GTA API Creation Profile org.opcfoundation.ECC-nistP256 6.1.2 GTA API Enrollment Profile org.opcfoundation.ECC-nistP256 6.1.3 GTA API Usage Profile org.opcfoundation.ECC-nistP256 6.2 Aes256-Sha256-RsaPss 6.2.1 GTA API Creation Profile org.opcfoundation.Aes256-Sha256-RsaPss 6.2.2 GTA API Enrollment Profile org.opcfoundation.Aes256-Sha256-RsaPss 6.2.3 GTA API Usage Profile org.opcfoundation.Aes256-Sha256-RsaPss 7 Use case extensions 7.1 Access control 7.1.1 Initial Access 7.1.2 Basic Access Tokens 7.1.3 Personality Derived Access Tokens Annex A – Implementation Examples A.1 Selection of personalities A.1.1 Enumerating all personalities by application A.1.2 Discover DeviceIdentity personality using attribute org.opcfoundation.product_instance_uri A.2 Examination of personality attributes A.3 Device onboarding for org.opcfoundation.ECC-nistP256 A.4 Using org.opcfoundation.Aes256-Sha256-RsaPss to create a OpenSecureChannel Response Annex B – Example Messages B.1 OpenSecureChannel Request example message (ECC-nistP256) B.2 OpenSecureChannel Request example message (Aes256-Sha256-RsaPss)