Search

48 result(s) for ApplicationInstanceCertificate

• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.4 ApplicationInstanceCertificate
  ApplicationInstanceCertificate Certificate that uniquely identifies an individual ApplicationInstance Note 1 to entry: Different installations of one software product would have different ApplicationInstanceCertificates . The use of an ApplicationInstanceCertificate for uses outside ... ApplicationInstanceCertificate and should be discouraged. Note 2 to entry: also written as ApplicationInstance Certificate
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.3 ApplicationInstanceCertificate
  ApplicationInstanceCertificate An ApplicationInstanceCertificate is a ByteString containing an encoded Certificate. The encoding of an ApplicationInstanceCertificate depends on the security technology mapping and is defined completely in OPC 10000-6 . Table ... specifies the information that should be contained in an ApplicationInstanceCertificate . Table 110 - ApplicationInstanceCertificate Name Type Description ApplicationInstanceCertificate structure ApplicationInstanceCertificate with signature created by a Certificate Authority . version String An identifier
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.10 Application Authentication
  intend to communicate to identify each other. Each OPC UA ApplicationInstance has a Certificate ( ApplicationInstanceCertificate ) assigned that is exchanged during SecureChannel establishment. The receiver of the Certificate checks whether
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  6.8 Cryptographic Keys
  important that an OPC UA Application supports the entire set of values for its ApplicationInstanceCertificate . This allows an end user to generate a key ( ApplicationInstanceCertificate ) that meets their security requirements
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.1 Overview
  generated by the Private Key associated with X.509 v3 Certificate that is the ApplicationInstanceCertificate ) or can be signed by a Certificate Authority (The signature is generated by the Private
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.2 Self signed certificate management
  listing what Clients a Server trusts by installing the Public Key of the Client ApplicationInstanceCertificate in the Trusted Certificate store of the Server could be acceptable
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.3 CA Signed Certificate management
  this activity. Figure 12 - CA Certificate handling The administrator generates a CA signed ApplicationInstanceCertificate for all Clients and Servers that are installed in a system, but the administrator will only
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.4.2 Certificate management for developers
  best practice for your OPC UA Application to automatically provide a self-signed ApplicationInstanceCertificate on installation. In addition, the OPC UA Application is able to easily replace the self-signed ... ApplicationInstanceCertificate with a CA issued ApplicationInstanceCertificate or have the self-signed certificate signed by a CA. The configuration of a TrustList should also be easily accomplished. Typically, TrustLists for Public
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.4.1 Description
  Server Application Instance Certificate Message Security Mode Security Policy Supported User Identity Tokens The ApplicationInstanceCertificate is used to secure the OpenSecureChannel request (see 5.6.2 ). The MessageSecurityMode and the SecurityPolicy tell ... None and none of the UserTokenPolicies requires encryption, the Client shall ignore the ApplicationInstanceCertificate . If the securityPolicyUri is not None or one of the UserTokenPolicies requires encryption, the Server shall
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.2.2 Parameters
  OpenSecureChannel request shall be signed with the private key for this Certificate . The ApplicationInstanceCertificate type is defined in 7.3 . If the securityPolicyUri is None, the Server shall ignore the ApplicationInstanceCertificate
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.2.1 Description
  used until the Client calls the ActivateSession Service and proves possession of its ApplicationInstanceCertificate and any user identity token that it provided. A Server application should limit the number
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.2.2 Parameters
  check the length. The Server shall use this value to prove possession of its ApplicationInstanceCertificate in the response. clientCertificate ApplicationInstance Certificate The ApplicationInstanceCertificate issued to the Client . The ApplicationInstanceCertificate type ... defined in 7.3 . If the securityPolicyUri is None, the Server shall ignore the ApplicationInstanceCertificate . If the SecurityMode is not None, a Client shall prove possession by using the private
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.3.2 Parameters
  check the length. The Client shall use this value to prove possession of its ApplicationInstanceCertificate in the next call to ActivateSession request. results [] StatusCode List of validation results
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.2 Obtaining and installing an ApplicationInstanceCertificate
  Obtaining and installing an ApplicationInstanceCertificate All OPC UA Applications require an ApplicationInstanceCertificate which shall contain the following information: The network name or address of the computer where the application runs ... information but in this case the information is set to itself. In addition, each ApplicationInstanceCertificate has a private key which should be stored in a location that can only
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.3 Determining if a Certificate is trusted
  trust. An Application decides if another application is trusted by checking whether the ApplicationInstanceCertificate for the other application is trusted. A Certificate is only trusted if its chain ... types of Certificates . Some steps are skipped if the Certificate is not an ApplicationInstanceCertificate. ApplicationInstanceCertificates shall not be used in a Client or Server until they have been evaluated
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.4 Creating a SecureChannel
  Client and Server Certificates be issued by the same authority. A self-signed ApplicationInstanceCertificate does not need to be verified with a CA. Any Certificate shall be rejected
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.7 Continuous security checks
  SecureChannel does not use ApplicationInstanceCertificates , the OPC UA Application should execute ApplicationInstanceCertificate checks for the Session at a rate used for SecureChannel renewals. The recovery mechanisms for ApplicationInstanceCertificate replacement scenarios
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.8 Calculating Signatures used in CreateSession and ActivateSession
  OctetString with 0 length. If a ChannelCertificate is the same as the corresponding ApplicationInstance Certificate then the same byte sequence is repeated in the data to sign. A Signature shall
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.7 Re-establishing connections
  connection by creating a new SecureChannel may be rejected, because of a new Server ApplicationInstanceCertificate or other security errors. OpenSecureChannel returns Bad_CertificateInvalid in the case of a new Server ... fetch the most up to date security information from the Server . If the Client ApplicationInstanceCertificate is updated, the Client shall create a new Session since the Session does not allow
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.14 EndpointDescription
  Endpoint belongs to. The ApplicationDescription type is defined in 7.2 . serverCertificate ApplicationInstance Certificate The ApplicationInstanceCertificate issued to the Server . The ApplicationInstanceCertificate type is defined in 7.3 . securityMode Enum MessageSecurityMode
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.15 EphemeralKeyType
  specified by the current SecurityPolicyUri . signature ByteString The Signature calculated using the ApplicationInstanceCertificate used with the current SecureChannel .. The value of the Public Key field is the data used
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.41 UserTokenPolicy
  that the Server does not require any user identification. In this case, the Client ApplicationInstanceCertificate is used as the user identification. issuedTokenType String A URI for the type of token
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.2.1 General
  ClientCertificate parameters used in the abstract OpenSecureChannel service are typically instances of the ApplicationInstance Certificate DataType . Clause 6.2.2 describes how to create an X.509 v3 Certificate that can be used ... ApplicationInstance Certificate . Other types of Certificates that may be used in OpenSecureChannel are defined in OPC 10000-21 . Certificates are also used as form of UserIdentityToken which identifies a user
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.2.2 Application Instance Certificate
  Application Instance Certificate An Application Instance Certificate is a ByteString containing the DER encoded form (see X.690 ) of an X.509 v3 Certificate . This Certificate is issued by certifying authority ... application running on a single host. The X.509 v3 fields contained in an Application Instance Certificate are described in Table 50 . The fields are defined completely in IETF
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  E.2 SecuredApplication
  rights to launch the application. ApplicationCertificate CertificateIdentifier The identifier for the Application Instance Certificate . Applications allow this value to be read or changed. This identifier may reference a Certificate store ... accessible to outside applications this value contain the X.509 v3 Certificate for the application. If the configuration utility assigns a new private key this value reference the store where
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.3.4 CertificateGroupDataType
  they are deleted if no Certificate is assigned. The update is rejected if a Certificate is assigned to a deleted CertificateType . The DeleteCertificate Method is used to remove Certificates ... Purpose is ApplicationCertificate Type then the CertificateGroup is used to specify Certificates used as ApplicationInstance Certificate . A NULL value is not valid. CertificateTypes 0:NodeId[] The list of CertificateTypes supported
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.2 ApplicationCertificateType
  type is an abstract base type for types that describe the purpose of an ApplicationInstanceCertificate . This type is defined in Table 47 . Table 47 - ApplicationCertificateType Definition Attribute Value BrowseName
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.8 RsaMinApplicationCertificateType
  RsaMinApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an RSA key size of 1024 or 2048 bits. All Applications which support
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.9 RsaSha256ApplicationCertificateType
  RsaSha256ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an RSA key size of 2048, 3072 or 4096 bits. All Applications which
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.10 EccApplicationCertificateType
  EccApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC Public Key . Applications which support the ECC profiles
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.11 EccNistP256ApplicationCertificateType
  EccNistP256ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC nistP256 Public Key . Applications which support the ECC NIST P256 curve
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.12 EccNistP384ApplicationCertificateType
  EccNistP384ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC nistP384 Public Key . Applications which support the ECC NIST P384 curve
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.13 EccBrainpoolP256r1ApplicationCertificateType
  EccBrainpoolP256r1ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC brainpoolP256r1 Public Key . Applications which support the ECC brainpoolP256r1 curve profiles
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.14 EccBrainpoolP384r1ApplicationCertificateType
  EccBrainpoolP384r1ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC brainpoolP384r1 Public Key . Applications which support the ECC brainpoolP384r1 curve profiles
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.15 EccCurve25519ApplicationCertificateType
  EccCurve25519ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC curve25519 Public Key . Applications which support the ECC curve25519 curve profiles
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.16 EccCurve448ApplicationCertificateType
  EccCurve448ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC curve448 Public Key . Applications which support the ECC curve448 curve profiles
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.3 StartSigningRequest
  CertificateType for the new Certificate . If null the CertificateManager shall generate a Certificate based on the value of the CertificateGroupId argument. CertificateRequest A CertificateRequest used to prove possession ... PKCS #10 encoded blob in DER format. If the CertificateRequest is for an ApplicationInstance Certificate then it shall include all fields required by OPC 10000-6 such as the subjectAltName
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.10 CreateSigningRequest
  CertificateRequest The PKCS #10 DER encoded Certificate Request. If the CertificateRequest is for an ApplicationInstance Certificate then it shall include all fields required by OPC 10000-6 such
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.5 RequestAccessToken (Deprecated)
  UserTokenPolicies Property . If the IdentityToken is not provided the Server should use the ApplicationInstanceCertificate and/or the UserIdentityToken provided for the Session (or the request if using a Session -less Method
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  A.1 Firewalls and Discovery
  that use the same HostName . A Server with multiple HostNames shall also return an ApplicationInstance Certificate that specifies the HostName used in the URL it returns. An Administrator may create
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.1 RoleType definition
  mapping rules, then the Method shall not be present. The AddApplication Method adds an ApplicationInstance Certificate to the list of Applications . If the Server does not enforce application restrictions ... Role the Method shall not be present. The RemoveApplication Method removes an ApplicationInstance Certificate from the list of Applications . If the Server does not enforce application restrictions or does
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  3.1.2 ApplicationUri
  Application running on a particular Device . Note 3 to entry: The Application Instance Certificate has the ApplicationUri in the subjectAltName field
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  6.3 Authentication
  configured to use any of its DeviceIdentity Certificates as its Application Instance Certificate . Note that DeviceIdentity Certificates will not have a DNS name or IP address because these values ... Registrar, it is provided with an Application Instance Certificate, called a DCA Certificate , that is used for any subsequent communication. The DCA Certificate will have a shorter lifespan
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.1 Overview
  secure connection to the Device using the selected DeviceIdentity Certificate. Issue a DCA Application Instance Certificate to the Device that indicates that it has been authenticated. The initial communication between ... Instance Certificate to the DCA which will allow the DCA to be used to provision the other Applications running on the Device. This Certificate is called the DCA Certificate . When
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.2 Pull Management
  rogue Registrars since the DCA always trusts the first Registrar that provides an Application Instance Certificate . Once connected to a Registrar the Device provides all of its DeviceIdentity Certificates ... connect to an untrusted Registrar once it has a TrustList . The process for requesting Application Instance Certificates is shown in Figure 5 . Figure 5 - Requesting Certificates using Pull Management
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.3 Push Management
  network, the DCA shall accept the first one to provide an Application Instance Certificate and a TrustList . Once configured, the DCA shall reject connections from Registrars that ... TRUE on the ProvisionableDevice Object (see 9.3.2 ). Registrar that shall provide a normal Application Instance Certificate to the DCA that cannot be used to configure other Applications
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.3.1 Overview
  Device . The DefaultApplicationGroup Object is a well-known CertificateGroup that stores the Application Instance Certificate and TrustList for the DCA provided by the Registrar . This group is initially empty when ... Reference from the ServerConfiguration CertificateGroups Folder to the CertificateGroup Object under the Application
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.3.3 ProvisionableDeviceType
  tells Registrar that the DCA Certificate shall have rights associated with a Application Instance Certificate (i.e., it cannot be used to access the security configuration for different Applications ). A ProvisionableDevice