Search

Scope: Core (OPC-10000-*) All specs

177 result(s) for Certificate

OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts

2.1.6 Certificate

Certificate digitally signed data structure that contains a public key and an identity Note 1 to entry: Certificates are used to identity for example Clients , Servers , users, and certificate authorities
OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts

3.2 Specification parts

Clients and Servers should interact with them. It also defines Information Models for Certificate management , key credential management, and authorization services. Part 13 ( OPC 10000-13 ) - Aggregates Part 13 specifies
OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts

5.7.3 Certificate management

Certificate management OPC UA Applications rely on Digital ( X.509 ) Certificates as the basis for trust. In systems it is highly desirable to assign and manage the Certificates used ... they all need periodic maintenance (e.g., updates to trust lists and revocation lists, Certificate renewals, etc.). OPC 10000-12 describes the centralize Certificate management services
OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts

5.7.6 Device Onboarding

additional network based provisioning can be done. For example, the assignment of a Certificate using the Certificate management services as described in 5.7.3 . OPC 10000-21 defines a standard process
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

3.1.4 ApplicationInstanceCertificate

ApplicationInstanceCertificate Certificate that uniquely identifies an individual ApplicationInstance Note 1 to entry: Different installations of one software product would have different ApplicationInstanceCertificates . The use of an ApplicationInstanceCertificate for uses outside ... ApplicationInstanceCertificate and should be discouraged. Note 2 to entry: also written as ApplicationInstance Certificate
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

3.1.16 Certificate Authority

Certificate Authority entity that can issue Certificate s, also known as a CA Note 1 to entry: The Certificate certifies the ownership of a Public Key by the named subject ... Certificate . This allows others (relying parties) to rely upon signatures or assertions made by the Private Key that corresponds to the Public Key that is certified. In this model
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

3.1.17 CertificateStore

CertificateStore persistent location where Certificate s and Certificate revocation lists (CRLs) are stored Note 1 to entry: It could be a disk resident file structure or on Windows platforms
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

3.1.37 Public Key Infrastructure

needed to validate Certificates . Key pairs for data Confidentiality could be generated by a Certificate authority (CA); but it is better to have the Private Key owner generate
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

3.1.48 TrustList

TrustList list of Certificate s that an OPC UA Application has been configured to trust
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

3.1.50 X.509 Certificate

X.509 Certificate Certificate in one of the formats defined by X.509 v1, 2, or 3 Note 1 to entry: An X.509 Certificate contains a sequence of data items
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

4.1 OPC UA security environment

communication is shown in Figure 1 . OPC UA also defines global services such as Certificate management, KeyCredential management, AuthorizationService , and GlobalDiscoveryServer (GDS) to help manage security and other global functionality
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

4.3.13 Compromising user credentials

Compromising user credentials An attacker obtains user credentials such as usernames, passwords, Certificate s, or keys by observing them on papers, on screens, or in electronic communications, or by cracking
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

4.10 Application Authentication

that intend to communicate to identify each other. Each OPC UA ApplicationInstance has a Certificate ( ApplicationInstanceCertificate ) assigned that is exchanged during SecureChannel establishment. The receiver of the Certificate checks whether ... trusts the Certificate and based on this check it accepts or rejects the request or response Message from the sender (see OPC 10000-4 Determining if a Certificate is Trusted
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

4.13 OPC UA security related Services

Client to obtain information about the security policies (see 4.6 ) and the Certificate s of specific OPC UA Server s. The services of the SecureChannel Service Set (specified ... create this shared key. The OPC UA Client retrieves the security policies and Certificate s of the OPC UA Server by the previously mentioned discovery services. These Certificates contain
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

5.1.10 Rogue Server or Publisher

Server ApplicationInstanceCertificates . There would still be the possibility that a rogue Server provides a Certificate from a trusted OPC UA Server , but since it does not possess the appropriate Private
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

5.2.2 Application Authentication

Client and Server applications identify and authenticate themselves with X.509 v3 Certificate s and associated private keys ( X.509 v3 Certificate s are defined in X509 ). Some choices of the communication ... stack require these Certificate s to represent the machine or user instead of the application. For publish subscribe communications Client Server communications is required to obtain the shared keys from
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

5.2.3 User Authentication

Applications accept tokens in any of the following forms: username/password, X.509 v3 Certificate (see X509 ), or JSON Web Token (JWT). As specified in the CreateSession and ActivateSession Services ... UserIdentityToken is a Certificate then this token is validated with a challenge-response process. The Server provides a Nonce and signing algorithm as the challenge in its CreateSession response
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

9.1 Overview

completely described in OPC 10000-6 . These data items describe the ApplicationInstance that the Certificate is assigned to. The Certificates include a Digital Signature by the generator of the Certificate ... self-signed (the signature is generated by the Private Key associated with X.509 v3 Certificate that is the ApplicationInstanceCertificate ) or can be signed by a Certificate Authority (The signature
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

9.2 Self signed certificate management

Self signed certificate management The major difference between CA signed and self-signed Certificate in an OPC UA installation is the effort required to deploy and maintain the Certificates ... choice of when to use a CA issued Certificate versus a self-signed Certificate depends on the installation and site requirements. Figure 11 illustrates the work that is required
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

9.3 CA Signed Certificate management

Signed Certificate management In systems with multiple Servers and Clients the installation of Public Keys in TrustLists can very quickly become cumbersome. In these instances, the use of a company ... installation/configuration issues. The CA can also provide additional benefits such as management of Certificate expiration and Certificate Revocation Lists (CRL). Figure 12 provides an illustration of this activity. Figure
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

9.4.2 Certificate management for developers

Certificate management for developers From a developer point of view, it is a best practice for your OPC UA Application to automatically provide a self-signed ApplicationInstanceCertificate on installation ... self-signed ApplicationInstanceCertificate with a CA issued ApplicationInstanceCertificate or have the self-signed certificate signed by a CA. The configuration of a TrustList should also be easily accomplished. Typically, TrustLists
OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model

4.2 URIs

assigned by the OwnerOperator or automatically created by the application software. An ApplicationInstance Certificate has the ApplicationUri in the subjectAltName (see OPC 10000-6 ); ProductInstanceUris identify a Device ... assigned by the Device Manufacturer (see OPC 10000-21 ). A DeviceIdentity Certificate has the ProductInstanceUri in the subjectAltName . These URIs conform to RFC 3986 , however, this specification is very open
OPC-10000-3 – OPC Unified Architecture - Part 3: Address Space Model

4.9.1 Overview

Role is always assigned when a Session has been authenticated with a trusted ApplicationInstance Certificate (see OPC 10000-4 ) and uses at least a signed communication channel. The standard mapping ... user groups. Application identity mappings are based on the ApplicationUri specified in the Client Certificate . Application identity can only be enforced if the Client proves possession of a trusted Certificate
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.5.1 Overview

shall allow Administrators to disable the DiscoveryEndpoint . If GetEndpoints is disabled and the Server Certificate is updated either automatically with Certificate Manager or manually, Clients will no longer be able ... CreateSession response. A Client shall verify that: The ApplicationUri specified in the Server Certificate is the same as the ApplicationUri provided in the EndpointDescription returned from CreateSession response . The Server
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.6.2.1 Description

securityPolicyUri is not None, a Client shall verify the HostName specified in the Server Certificate is the same as the HostName contained in the endpointUrl . If there is a difference ... SecureChannel . Servers shall add all possible HostNames like MyHost and MyHost.mycompany.com into the Server Certificate . This includes IP addresses of the host or the HostName exposed by a NAT router
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.6.2.2 Parameters

authenticationToken is always null. The type RequestHeader is defined in 7.32 . clientCertificate ApplicationInstance‌Certificate A Certificate that identifies the Client . The OpenSecureChannel request shall be signed with the private ... this Certificate . The ApplicationInstanceCertificate type is defined in 7.3 . If the securityPolicyUri is None, the Server shall ignore the ApplicationInstanceCertificate . requestType Enum SecurityToken RequestType The type of SecurityToken request
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.7.2.1 Description

shall also provide a SecureChannelId which uniquely identifies the SecureChannel or the Client Certificate used to establish the SecureChannel . The Server uses one of these to identify the SecureChannel used ... Administrator . The Client shall check that the ApplicationUri specified in the Server Certificate matches the ApplicationUri provided in the EndpointDescription returned by the CreateSession response. If it does not match
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.7.2.2 Parameters

this value to prove possession of its ApplicationInstanceCertificate in the response. clientCertificate ApplicationInstance Certificate The ApplicationInstanceCertificate issued to the Client . The ApplicationInstanceCertificate type is defined in 7.3 . If the securityPolicyUri ... prove possession of the userIdentityToken it specified in the ActivateSession request. serverCertificate ApplicationInstance Certificate The ApplicationInstanceCertificate issued to the Server . A Server shall prove possession by using the private
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.7.3.1 Description

different SecureChannels. If this is the case then the Server shall verify that the Certificate the Client used to create the new SecureChannel is the same as the Certificate used ... X509IdentityToken then the proof is a signature generated with private key associated with the Certificate . The data to sign is created by appending the last serverNonce to the serverCertificate specified
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.2 Obtaining and installing an ApplicationInstanceCertificate

application; The URI of the application instance; The validFrom and validTo date for the Certificate . ApplicationInstanceCertificates issued by a Certificate Authority (CA) shall contain the following additional information: The name ... Certificate Authority that issued the Certificate ; The public key issued to the application by the Certificate Authority ; A digital signature created by the Certificate Authority . Note Self-signed Certificates contain
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.3 Determining if a Certificate is trusted

Determining if a Certificate is trusted Applications shall never communicate with another application that they do not trust. An Application decides if another application is trusted by checking whether ... ApplicationInstanceCertificate for the other application is trusted. A Certificate is only trusted if its chain can be validated. Applications shall rely on lists of Certificates provided by the Administrator
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.4 Creating a SecureChannel

self-signed ApplicationInstanceCertificate does not need to be verified with a CA. Any Certificate shall be rejected if it is not in a TrustList provided by the administrator. Both ... list of Certificates that they have been configured to trust (sometimes called the Certificate Trust List or CTL). These trusted Certificates may be Certificates for Certificate Authorities or they
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.5 Creating a Session

Establishing a Session Figure 22 illustrates the interactions between a Client , a Server , a Certificate Authority (CA) and an identity provider. The CA is responsible for issuing the ApplicationInstanceCertificates ... identity provider depends on the user identity token. It could be a Certificate Authority , an Authorization Service or a proprietary database of some sort. The Client and Server shall prove
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.8 Calculating Signatures used in CreateSession and ActivateSession

create it. The calculation method uses the following values: The ChannelThumbprint ; The Server SecureChannel Certificate ( Server ChannelCertificate ); The Client SecureChannel Certificate ( Client ChannelCertificate ); The Server Application Certificate ( ServerCertificate ); The Client ... Application Certificate ( ClientCertificate ); The ServerNonce returned in CreateSession or ActivateSession ; The ClientNonce passed in CreateSession ; The ChannelThumbprint is a unique identifier for the SecureChannel computed when the SecureChannel is created
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.5.5 Auditing for SecureChannel Service Set

exact details of the failure need to be known. In the case of Certificate validation errors the CertificateErrorEventId of the AuditOpenSecureChannelEventType should include the audit EventId of the specific AuditCertificateEventType ... that was generated to report the Certificate error. The AuditCertificateEventType shall also contain the detailed Certificate validation error. The additional parameters should include the details of the request
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.5.6 Auditing for Session Service Set

request. This Service Set shall also generate additional audit events in the cases when Certificate validation errors occur. These audit Events are generated in addition to the AuditSessionEventType Events
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.7 Re-establishing connections

activate the Session , the Client shall use the same security policy, application instance certificate and the same user credential used to create the original SecureChannel . This will result ... security errors. OpenSecureChannel returns Bad_CertificateInvalid in the case of a new Server ApplicationInstance Certificate . In case of security failures, the Client shall use the GetEndpoints Service to fetch
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.3 ApplicationInstanceCertificate

ApplicationInstanceCertificate An ApplicationInstanceCertificate is a ByteString containing an encoded Certificate. The encoding of an ApplicationInstanceCertificate depends on the security technology mapping and is defined completely in OPC 10000-6 . Table ... Table 110 - ApplicationInstanceCertificate Name Type Description ApplicationInstanceCertificate structure ApplicationInstanceCertificate with signature created by a Certificate Authority . version String An identifier for the version of the Certificate encoding. serialNumber ByteString
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.35 SessionAuthenticationToken

particular Session . This identifier is used in conjunction with the SecureChannelId or Client Certificate to authenticate incoming messages. It is the secret form of the sessionId for internal ... verify the sender of the message and it uses the SecureChannelId or the Client Certificate to identify the sender to the Server . In these cases, the SessionAuthenticationToken is a NodeId
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.36 SignatureData

SignatureData Name Type Description SignatureData structure Contains a digital signature created with a Certificate . algorithm String A string containing the URI of the algorithm . The URI is NULL or Empty ... signature ByteString This is a signature generated with the private key associated with a Certificate
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.38.2 Common StatusCodes

HostName used to connect to a Server does not match a HostName in the Certificate . Bad_CertificateChainIncomplete The Certificate chain is incomplete. Bad_CertificateIssuerRevocationUnknown It was not possible to determine ... Issuer Certificate has been revoked. Bad_CertificateIssuerUseNotAllowed The Issuer Certificate may not be used for the requested operation. Bad_CertificateIssuerTimeInvalid An Issuer Certificate has expired or is not yet valid
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.1 Overview

identified by user name and password. X509IdentityToken A user identified by an X.509 v3 Certificate . IssuedIdentityToken A user identified by a token issued by an external Authorization Service
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.2.1 Overview

attacker to gain access to the system. Clients shall validate the Server Certificate and ensure it is trusted before sending a UserIdentityToken encrypted with the Certificate . The encrypted secret
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.2.2 Legacy Encrypted Token Secret Format

secret. The data is then encrypted with the public key from the Server's Certificate . A Client should not add any padding after the secret. If a Client adds padding
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.2.3 EncryptedSecret Format

including the Signature . SecurityPolicyUri String The URI for the SecurityPolicy used to apply security. Certificate ByteString The signing and/or encrypting Certificate . SigningTime DateTime When the Signature was created. KeyDataLength UInt16
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.2.5 EccEncryptedSecret DataType

Byte See Table 183 Length UInt32 See Table 183 SecurityPolicyUri String See Table 183 Certificate ByteString The signing Certificate encoded in DER form. The value shall include the entire chain ... UserIdentityToken to a Server over a SecureChannel and the SigningCertificate is the Client ApplicationInstance Certificate . SigningTime DateTime See Table 183 KeyDataLength UInt16 The length of the KeyData without encryption. KeyData
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.40.5 X509IdentityTokens

X509IdentityTokens The X509IdentityToken is used to pass an X.509 v3 Certificate which is issued by the user. This token shall always be accompanied by a Signature in the userTokenSignature parameter ... accept null or empty and treat them as equal. certificateData ByteString The X.509 v3 Certificate in DER format
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

7.42 UserTokenType

Name Value Description ANONYMOUS 0 No token is required. USERNAME 1 A username/password token. CERTIFICATE 2 An X.509 v3 Certificate token. ISSUEDTOKEN 3 Any token issued by an Authorization Service
OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model

6.4.3 AuditEventType

Server is unable to decrypt AuditEntryId due to a certificate check failure, then some Client identification should be used such as the Client's IP Address, port, MAC address and/or ... X509IdentityToken then the ClientUserId shall be the X509 Subject Name of the Certificate . If the UserIdentityToken is an IssuedIdentityToken then the ClientUserId shall be a string that represents the owner
OPC-10000-5 – OPC Unified Architecture - Part 5: Information Model

6.4.12 AuditCertificateEventType

defined in 6.4.7 , which means it inherits the InstanceDeclarations of that Node. HasProperty Variable Certificate ByteString PropertyType Mandatory Conformance Units Auditing Connections This EventType inherits all Properties of the AuditSecurityEventType ... SourceName for Events of this type shall be "Security/Certificate". Certificate is any certificate validated by a Server that encountered a validation issue (i.e. users, applications, etc.). Additional subtypes
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

3.1.1 CertificateThumbprint

CertificateThumbprint short identifier used to uniquely identify an X.509 v3 Certificate . Note 1 to entry: This is a cryptographic hash of DER encoded form of the Certificate . Note
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.1 Security Handshake and Security Policies

original mechanisms are used. CertificateThumbprintAlgorithm The cryptographic hash algorithm used to create a Certificate thumbprint. If not specified, the SHA1 algorithm is used. The KeyDerivationAlgorithm is used to create ... Certificates shall be less than or equal to the key length of the issuer Certificate . See 6.2.6 for information on Certificate chains. The CertificateKeyAlgorithm and EphemeralKeyAlgorithm are used to generate
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.2.1 General

ClientCertificate parameters used in the abstract OpenSecureChannel service are typically instances of the ApplicationInstance Certificate DataType . Clause 6.2.2 describes how to create an X.509 v3 Certificate that can be used ... ApplicationInstance Certificate . Other types of Certificates that may be used in OpenSecureChannel are defined in OPC 10000-21 . Certificates are also used as form of UserIdentityToken which identifies a user
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.2.2 Application Instance Certificate

Application Instance Certificate An Application Instance Certificate is a ByteString containing the DER encoded form (see X.690 ) of an X.509 v3 Certificate . This Certificate is issued by certifying authority ... running on a single host. The X.509 v3 fields contained in an Application Instance Certificate are described in Table 50 . The fields are defined completely in IETF RFC 5280 . Table
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.2.3 User Certificates

User Certificates A User Certificate is a Certificate is issued by certifying authority and identifies a user. The X.509 v3 fields in a User Certificates with specific requirements are shown ... Table 51 . Table 51 - User Certificate Field Description subject The distinguished name of the User. The Common Name attribute shall be specified and should be name of the user
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.2.4 Issuer (CA) Certificates

Issuer (CA) Certificates An Issuer or CA Certificate is an X.509 v3 Certificate that identifies an authority that issues Certificates . An Issuer Certificate may identify a root ... Issuer Certificates with specific requirements are shown in Table 52 . Table 52 - Issuer Certificate Field Description subject The distinguished name of for the authority. The Common Name attribute shall
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.2.6 Certificate Chains

Certificate Chains Any X.509 v3 Certificate may be signed by CA which means that validating the signature requires access to the X.509 v3 Certificate belonging to the signing CA. Whenever ... application validates a Certificate (see OPC 10000-4 ) it shall recursively build a chain of Certificates by finding the issuer Certificate , validating the Certificate and then repeat the process
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.5.2.3 Access Tokens

which implies that Servers which accept the Access Token must have access to the Certificate used by the Authorization Service . All Access Tokens shall have a signature created ... shall be checked before accepting the token. cnf object No The thumbprint of the Certificate which shall be used with the token. If present, the Server shall not accept
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.7.2.3 Security Header

SenderCertificate in bytes. This value shall not exceed MaxSenderCertificateSize bytes. If a certificate is not specified this value may be 0 or -1. Other negative values are invalid. SenderCertificate Byte ... X.509 v3 Certificate assigned to the sending application Instance . This is a DER encoded blob. The structure of an X.509 v3 Certificate is defined in X.509 v3. The DER format
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.7.4 Establishing a SecureChannel

finishes processing the OpenSecureChannel response. The Client shall close the SecureChannel if the Certificate used to sign the response is not the same as the Certificate used to encrypt
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.7.7 Verifying Message Security

CertificateInvalid error if it does not recognize it. The receiver shall check that the Certificate is trusted first and return Bad_SecurityChecksFailed on error. The receiver shall then verify ... rules defined in OPC 10000-4 . The receiver shall report the appropriate error if Certificate validation fails. If the Message is secured with symmetric algorithms, then a Bad_SecureChannel TokenUnknown
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.8.1 Secure Channel Handshake

IETF RFC 8422 and is shown in Figure 15 . Figure 15 - ECC Key Negotiation Certificate s for ECC have a public-private key pair that are used to create ... specifies exactly one named curve which is used for the EphemeralKeys . Each ECC Certificate is also based on a named curve. Each SecurityPolicy specifies a list of named curves which
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

6.9 Diffie-Hellman Key Agreement (RSA)

ffdhe3072 384 275 The RSA PublicKey Length is the minimum key length for Certificate PublicKeys allowed by the SecurityPolicy . The choice of group determines the DH parameters
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

7.1.5 Error handling

SecureChannelTokenUnknown The SecurityToken has expired or is not recognized. Bad_CertificateUntrusted The sender Certificate is not trusted by the receiver. Bad_CertificateTimeInvalid The sender Certificate has expired ... valid. Bad_CertificateIssuerTimeInvalid The issuer for the sender Certificate has expired or is not yet valid. Bad_CertificateUseNotAllowed The sender's Certificate shall not be used for establishing a secure
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

7.4.1 Overview

shall support HTTP and TLS . Some HTTPS implementations require that all Servers have a Certificate with a Common Name (CN) that matches the DNS name of the Server machine. This ... accepted by all web browsers which require access to the Server . The set of Certificate authorities accepted by the web browsers is determined by the organization that manages the Client
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

7.5.3 Security

Security The WebSockets protocol requires that the Server have a Certificate , however, the Client may have a Certificate . The Server Certificate should have the domain name as the common name ... component of the subject name however, Clients that are able to override the Certificate validation procedure can choose to accept Certificates with a domain mismatch. When using the WebSockets transport
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

E.2 SecuredApplication

rights to launch the application. ApplicationCertificate CertificateIdentifier The identifier for the Application Instance Certificate . Applications allow this value to be read or changed. This identifier may reference a Certificate store ... private key is not accessible to outside applications this value contain the X.509 v3 Certificate for the application. If the configuration utility assigns a new private key this value reference
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

E.3 CertificateIdentifier

CertificateIdentifier The CertificateIdentifier element describes an X.509 v3 Certificate . The Certificate can be provided explicitly within the element or the element can specify the location of the CertificateStore that contains ... Certificate . The elements contained in a CertificateIdentifier are described in Table E.2 . Table E.2 - CertificateIdentifier Element Type Description StoreType String The type of CertificateStore that contains the Certificate . Predefined values
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

E.4 CertificateStoreIdentifier

CertificateStoreIdentifier Element Type Description StoreType String The type of CertificateStore that contains the Certificate . Predefined values are "Windows" and "Directory". StorePath String The path ... vary and will depend on the application, development tool or operating system. A Certificate store may be shared by many applications on the same machine. Each Certificate store is identified
OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings

E.6 CertificateValidationOptions

CertificateValidationOptions The CertificateValidationOptions control the process used to validate a Certificate . Any Certificate can have validation options associated. If none are specified, the ValidationOptions for the store or list containing ... Certificate are used. The possible options are shown in Table E.6 . Note that suppressing any validation step can create security risks which are discussed in more detail
OPC-10000-9 – OPC Unified Architecture - Part 9: Alarms & Conditions

5.8.24.7 CertificateExpirationAlarmType

CertificateExpirationAlarmType This SystemOffNormalAlarmType is raised by the Server when the Server's Certificate is within the ExpirationLimit of expiration. This Alarm automatically returns to normal when the certificate is updated ... HasProperty Variable ExpirationLimit Duration PropertyType Optional HasProperty Variable CertificateType NodeId PropertyType Mandatory HasProperty Variable Certificate ByteString PropertyType Mandatory ConformanceUnits A & C CertificateExpiration ExpirationDate is the date and time this
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

1 Scope

requirements for the LocalDiscoveryServer, LocalDiscoveryServer-ME and GlobalDiscoveryServer. It also defines information models for Certificate management , KeyCredential m anagement and AuthorizationServices
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

3.1.3 CertificateRequest

CertificateRequest a PKCS #10 encoded structure used to request a new Certificate from a Certificate Authority . Note 1 to entry: Devices have hardware-based mechanisms, such
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

4.3.1 Overview

rogue GDS exists if the Client has not been configured to trust the GDS Certificate or if the Client does not use security when connecting to the GDS. Note that ... Client that uses security but automatically trusts a GDS Certificate is not protected from a rogue GDS even though the connection itself is secure. This problem is also mitigated
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

5.2 Security Considerations for Multicast DNS

This risk is minimized if OPC UA security is enabled and all Applications use Certificate TrustLists to control access
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

5.3.5 Domain Names and MulticastSubnets

fully qualified domain names should specify the fully qualified domain name in its ApplicationInstance Certificate . Servers shall not append the 'local' top level domain to any domains declared in their ... Certificate ; an unqualified domain name is used if a more appropriate qualifier does not exist. Clients using a URL returned from an LDS-ME shall ignore the 'local' top level
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

6.2 Roles and Privileges

Privilege grants an OPC UA Application the right to update its own registration. The Certificate used to create the SecureChannel is used to determine the identity ... Application. ApplicationAdmin This Privilege grants rights to update one or more registrations. The Certificate used to create the SecureChannel is used to determine the identity of the OPC UA Application
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

6.3 Client connections to global services

global services A GlobalDiscoveryServer is a Server implementing different global services for discovery, Certificate management, user or PubSub key management, user authorization, software and device management. The number of applications
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

6.4 Application Registration Workflow

PullManagement workflow. Continue with PullManagement inside a headless application. Continue with PushManagement . Set application Certificate on GDS For option (2) the current application Certificate must be configured for the application
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.1 Overview

Overview Certificate management functions comprise the management and distribution of certificates and TrustLists for OPC UA Applications. An application that provides the certificate management functions is called CertificateManager ... CertificateManager will typically be combined in one application. The basic concepts regarding Certificate management are described in OPC 10000-2 . There are two primary models for Certificate management: PullManagement
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.2 Roles and Privileges

CertificateManager Name Description CertificateAuthorityAdmin This Role grants rights to request or revoke any Certificate , update any TrustList or assign CertificateGroups to OPC UA Applications . RegistrationAuthorityAdmin This Role grants rights ... approve Certificate Signing requests or NewKeyPair requests. SecurityAdmin This Role grants the right to change the security configuration of a CertificateManager . The well-known Roles for Server managed
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.3 Pull Management

credentials may be user credentials for a CertificateAuthorityAdmin or application credentials determined by the Certificate used to create the SecureChannel. Examples of the application credentials include Certificates previously issued ... ApplicationAdmin Privilege (see 6.2 ). The CertificateManager shall ensure that any application with a Certificate issued by the CertificateManager may connect securely to the CertificateManager using that Certificate
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.4 Push Management

onto the registration authority managed by the CertificateManager . After the registration authority signs the Certificate, the new Certificate is pushed to the Server with the UpdateCertificate Method . There ... application and CertificateManager during PushManagement are illustrated in Figure 14 . Figure 14 - The Push Certificate Management Model The Administration Component may be part of the CertificateManager or a standalone utility
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.5 Application Setup

Servers that do not support OPC 10000-21 typically auto-generate a self-signed Certificate when they first start. They may also have a pre-configured TrustList with Applications that
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.6 Pull Management Workflow

Server processing the request in the workflow. The application is authenticated with the Certificate signed by the CertificateManager (or the Certificate assigned during registration). The UserTokenType is always Anonymous using ... described in Figure 16 . The boxes with blue text indicate Method calls. Figure 15 - Certificate Pull Management Workflow Figure 16 - The Pull Management Options for Key Pair Creation The steps
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.7.2 Update Certificates Workflow

Certificates need to be updated. Possible trigger mechanisms include: A trigger set based on Certificate expiry time; Manual intervention by an Administrator; Periodic changes triggered by policy. The CertificateManager needs ... have a DiscoveryUrl for the Server and should already trust at least one existing Certificate . It also needs the NodeId of the ApplicationConfigurationType instance being updated or the ApplicationUri
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.7.4 Update Single Certificate Workflow

Update Single Certificate Workflow The Update Single Certificate workflow is part of the Update Certificates workflow in 7.7.2 . It starts when the CertificateManager determines that an update to a Certificate ... Figure 19 . The boxes with blue text indicate Method calls. Figure 19 - PushManagement Update Certificate Workflow The steps of the workflow are described in Table 24 . Table 24 - PushManagement Update
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.7.5 Create Endpoint Workflow

have a DiscoveryUrl for the Server and should already trust at least one existing Certificate . It also needs the NodeId of the ApplicationConfigurationType instance being updated or the ApplicationUri ... CertificateGroups missing Certificates will not be enabled. An Endpoint that has a valid Certificate but an empty TrustList will exist but no connections will be possible. The TOFU mode used
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.2.5 CloseAndUpdate

Certificates placed in the TrustList . For ApplicationCertificateType , the Server shall verify that every Certificate in the new TrustList is valid using the validation process defined ... TrustList shall be discarded . When the TrustList changes the Server shall re-evaluate the Certificate associated with any open Sessions and SecureChannels. Sessions or SecureChannels with an untrusted or revoked
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.2.6 AddCertificate

AddCertificate The AddCertificate Method allows a Client to add a single Certificate to the TrustList . The Purpose of the associated CertificateGroup determines the validation rules for the Certificate . For ApplicationCertificateType ... Server shall verify that the Certificate is valid using the validation process defined in OPC 10000-4 . All suppressible errors shall be ignored; however, they may be logged as warnings
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.2.7 RemoveCertificate

RemoveCertificate The RemoveCertificate Method allows a Client to remove a single Certificate from the TrustList . It returns Bad_InvalidArgument if the Thumbprint does not match a Certificate in the TrustList ... Certificate is a CA Certificate that has CRLs then all CRLs for that CA are removed as well. This Method returns Bad_CertificateChainIncomplete if the Certificate is a CA Certificate
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.2.10 TrustListValidationOptions

Description SuppressCertificateExpired 0 Ignore errors related to the validity time of the Certificate. SuppressHostNameInvalid 1 Ignore mismatches between the host name or ApplicationUri . SuppressRevocationStatusUnknown 2 Ignore errors if the revocation ... list cannot be found for the issuer of the Certificate . SuppressIssuerCertificateExpired 3 Ignore errors if an issuer has an expired Certificate . SuppressIssuerRevocationStatusUnknown 4 Ignore errors if the revocation list cannot
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.3.1 CertificateGroupType

TrustListOutOfDateAlarmType 0:HasComponent Method 0:GetRejectedList Defined in 7.8.3.2 . Optional Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management The TrustList Object ... CertificateType . See 7.8.3.4 for more details. The CertificateExpired Alarm which is raised when a Certificate associated with the CertificateGroup is about to expire. If multiple Certificates are about to expire
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.3.2 GetRejectedList

rules are defined for how the Server updates this list or how long a Certificate is kept in the list. It is recommended that every valid but untrusted Certificate
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.3.3 CertificateGroupFolderType

Organizes Object 0:<AdditionalGroup> 0:CertificateGroupType Optional Placeholder Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management The DefaultApplicationGroup Object represents ... access the default HTTPS TrustList and to define the CertificateTypes allowed for the HTTPS Certificate . This Object shall specify the HttpsCertificateType NodeId (see 7.8.4.3 ) as a single entry
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.3.4 CertificateGroupDataType

CertificateGroups folder to discover the NodeId assigned by the Server that is needed for Certificate management Methods . Each element in the CertificateTypes list shall be unique and not abstract ... added. If existing CertificateTypes are not in the list they are deleted if no Certificate is assigned. The update is rejected if a Certificate is assigned to a deleted CertificateType
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.1 CertificateType

type is an abstract base type for types that describe the purpose of a Certificate . This type is defined in Table 46 . Table 46 - CertificateType Definition Attribute Value BrowseName ... Defined in 7.8.4.2 . 0:HasSubtype ObjectType 0:HttpsCertificateType Defined in 7.8.4.3 . Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.6 TlsServerCertificateType

TlsServerCertificateType This type is used to describe a Certificates that is a TLS server Certificate . This type is defined in Table 51 . Table 51 - TlsServerCertificateType Definition Attribute Value BrowseName ... TypeDefinition Modelling Rule Subtype of the 0: TlsCertificateType defined in 7.8.4.5 . Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.7 TlsClientCertificateType

TlsClientCertificateType This type is used to describe a Certificates that is a TLS client Certificate . This type is defined in Table 52 . Table 52 - TlsClientCertificateType Definition Attribute Value BrowseName ... TypeDefinition Modelling Rule Subtype of the 0: TlsCertificateType defined in 7.8.4.5 . Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.8 RsaMinApplicationCertificateType

which support the Basic128Rsa15 and Basic256 profiles (see OPC 10000-7 ) shall have a Certificate of this type. This type is defined in Table 53 . Table 53 - RsaMinApplicationCertificateType Definition Attribute ... TypeDefinition Modelling Rule Subtype of the 0: ApplicationCertificateType defined in 7.8.4.2 Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.9 RsaSha256ApplicationCertificateType

Applications which support the Basic256Sha256 profile (see OPC 10000-7 ) shall have a Certificate of this type. This type is defined in Table 54 . Table 54 - RsaSha256ApplicationCertificateType Definition Attribute Value ... TypeDefinition Modelling Rule Subtype of the 0: ApplicationCertificateType defined in 7.8.4.2 Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.10 EccApplicationCertificateType

Applications which support the ECC profiles (see OPC 10000-7 ) shall have a Certificate of this type. This type is defined in Table 55 . Table 55 - EccApplicationCertificateType Definition Attribute Value ... TypeDefinition Modelling Rule Subtype of the 0: ApplicationCertificateType defined in 7.8.4.2 . Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.11 EccNistP256ApplicationCertificateType

support the ECC NIST P256 curve profiles (see OPC 10000-7 ) shall have a Certificate of this type or a Certificate of the EccNistP384ApplicationCertificateType defined in 7.8.4.12 . This type ... TypeDefinition Modelling Rule Subtype of the 0: EccApplicationCertificateType defined in 7.8.4.10 . Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.12 EccNistP384ApplicationCertificateType

support the ECC NIST P384 curve profiles (see OPC 10000-7 ) shall have a Certificate of this type. This type is defined in Table 57 . Table 57 - EccNistP384ApplicationCertificateType Definition Attribute ... TypeDefinition Modelling Rule Subtype of the 0: EccApplicationCertificateType defined in 7.8.4.10 . Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.13 EccBrainpoolP256r1ApplicationCertificateType

which support the ECC brainpoolP256r1 curve profiles (see OPC 10000-7 ) shall have a Certificate of this type or a Certificate of the EccBrainpoolP384r1ApplicationCertificateType defined in 7.8.4.14 . This type ... TypeDefinition Modelling Rule Subtype of the 0: EccApplicationCertificateType defined in 7.8.4.10 . Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.14 EccBrainpoolP384r1ApplicationCertificateType

which support the ECC brainpoolP384r1 curve profiles (see OPC 10000-7 ) shall have a Certificate of this type. This type is defined in Table 59 . Table 59 - EccBrainpoolP384r1ApplicationCertificateType Definition Attribute ... TypeDefinition Modelling Rule Subtype of the 0: EccApplicationCertificateType defined in 7.8.4.10 . Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.15 EccCurve25519ApplicationCertificateType

which support the ECC curve25519 curve profiles (see OPC 10000-7 ) shall have a Certificate of this type. This type is defined in Table 60 . Table 60 - EccCurve25519ApplicationCertificateType Definition Attribute ... TypeDefinition Modelling Rule Subtype of the 0: EccApplicationCertificateType defined in 7.8.4.10 . Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.4.16 EccCurve448ApplicationCertificateType

which support the ECC curve448 curve profiles (see OPC 10000-7 ) shall have a Certificate of this type. This type is defined in Table 61 . Table 61 - EccCurve448ApplicationCertificateType Definition Attribute ... TypeDefinition Modelling Rule Subtype of the 0: EccApplicationCertificateType defined in 7.8.4.10 . Conformance Units GDS Certificate Manager Pull Model Push Model for Global Certificate and TrustList Management
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.1 Overview

Overview The GlobalDiscoveryServer AddressSpace used for Certificate management is shown in Figure 22 . Most of the interactions between the GlobalDiscoveryServer and application administrator or the Client will be via Methods ... defined on the Directory folder. Figure 22 - The Certificate Management AddressSpace for the GlobalDiscoveryServer
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.2 CertificateDirectoryType

TypeDefinition for the root of the CertificateManager AddressSpace . It provides additional Methods for Certificate management which are shown in Table 74 . Table 74 - CertificateDirectoryType ObjectType Definition Attribute Value BrowseName ... Mandatory 0:HasComponent Method 2:CheckRevocationStatus Defined in 7.9.11 . Optional Conformance Units GDS Certificate Manager Pull Model The CertificateGroups Object organizes the CertificateGroups supported by the CertificateManager . It is described
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.3 StartSigningRequest

StartSigningRequest The StartSigningRequest Method is used to initiate a request to create a Certificate which uses the private key which the caller currently has. The new Certificate is returned ... CertificateManager shall choose the DefaultApplicationGroup . CertificateTypeId The NodeId of the CertificateType for the new Certificate . If null the CertificateManager shall generate a Certificate based on the value of the CertificateGroupId
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.4 StartNewKeyPairRequest

StartNewKeyPairRequest The StartNewKeyPairRequest Method is used to start a request for a new Certificate and Private Key . The Certificate and Private Key . are returned in the FinishRequest response. Signature StartNewKeyPairRequest ... CertificateManager shall choose the DefaultApplicationGroup . CertificateTypeId The NodeId of the CertificateType for the new Certificate . If null the CertificateManager shall generate a Certificate based on the value of the CertificateGroupId
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.5 FinishRequest

FinishRequest The FinishRequest Method is used to finish a certificate request started with a call to StartNewKeyPairRequest or StartSigningRequest . Signature FinishRequest ( [in] NodeId ApplicationId [in] NodeId RequestId [out] ByteString Certificate ... application by the GDS. RequestId The NodeId returned by StartNewKeyPairRequest or StartSigningRequest . Certificate The DER encoded Certificate . PrivateKey The private key encoded in the format requested. If a password
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.6 RevokeCertificate

RevokeCertificate The RevokeCertificate Method is used to revoke a Certificate issued by the CertificateManager . When a Certificate is revoked it shall be removed from any TrustLists that ... TrustLists with the issuer Certificate shall be updated with the new CRL. Certificates assigned to an application are automatically revoked when the UnregisterApplication Method is called (see 6.5.8 ). This Method
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.8 GetCertificates

CertificateGroups assigned to the application. CertificateTypeIds The CertificateTypes that currently have a Certificate assigned. The length of this list is the same as the length as certificates list. Certificates ... Mandatory 0:HasProperty Variable 0:OutputArguments 0:Argument[] 0:PropertyType Mandatory Conformance Units GDS Certificate Manager GetCertificates
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.10 GetCertificateStatus

GetCertificateStatus Method is used to check if an application has to update its Certificate . If this Method is called for a CertificateGroup which the application does not belong to then ... CertificateManager shall choose the DefaultApplicationGroup . CertificateTypeId The NodeId of the CertificateType for the Certificate . If null the CertificateManager shall select a Certificate based on the value of the CertificateGroupId argument
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.11 CheckRevocationStatus

CheckRevocationStatus CheckRevocationStatus Method is used to check the revocation status of a Certificate. Clients or Servers may use this Method if the issuer Certificate has a crlDistributionPoint extension, an authorityInformationAccess ... extension (see RFC 6960) or the TrustList is configured to require online Certificate revocation checks (see 7.8.2.1 ). The CertificateManager will typically use a protocol such as OCSP
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.12 CertificateRequestedAuditEventType

CertificateRequestedAuditEventType This event is raised when a new certificate request has been accepted or rejected by the CertificateManager . This can be the result of a StartNewKeyPairRequest or StartSigningRequest Method calls ... Mandatory 0:HasProperty Variable 2:CertificateType 0:NodeId 0:PropertyType Mandatory Conformance Units GDS Certificate Manager Pull Model This EventType inherits all Properties of the AuditUpdateMethodEventType . Their semantic is defined
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.13 CertificateDeliveredAuditEventType

CertificateDeliveredAuditEventType This event is raised when a certificate is delivered by the CertificateManager to a Client . This is the result of a FinishRequest Method completing successfully. Its representation ... Mandatory 0:HasProperty Variable 2:CertificateType 0:NodeId 0:PropertyType Mandatory Conformance Units GDS Certificate Manager Pull Model This EventType inherits all Properties of the AuditUpdateMethodEventType . Their semantic is defined
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.3 ServerConfigurationType

HasComponent Object 0:ConfigurationFile 0:ApplicationConfigurationFileType Optional Conformance Units Push Model for Global Certificate and TrustList Management The ApplicationUri Property specifies the ApplicationUri assigned to the application. The ProductUri Property ... application setup state described in G.2 . The UpdateCertificate Method is used to update a Certificate . The CreateSelfSignedCertificate Method creates a new self-signed Certificate assigned to a CertificateType
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.5 UpdateCertificate

UpdateCertificate UpdateCertificate is used to update a Certificate . There are the following two use cases for this Method : The PrivateKey is already known to the Server (i.e. it was created ... with this Method . The Purpose of the associated CertificateGroup determines the validation rules for Certificate being updated. For ApplicationCertificateType , the Server shall verify the Certificate using the validation process defined
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.6 CreateSelfSignedCertificate

CreateSelfSignedCertificate CreateSelfSignedCertificate Method creates a new self-signed Certificate and associates it with a CertificateGroup . This Method allows an administration Client to create a Certificate used by the Server ... Purpose of the CertificateGroup specifies what the Certificate is used for. For example, a CertificateGroup that contains ApplicationInstance Certificates would only contain Certificates that are valid ApplicationInstance Certificates as defined
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.7 DeleteCertificate

DeleteCertificate DeleteCertificate Method a Certificate that is associated with a CertificateGroup . If no Certificate is assigned to the CertificateType slot then a Bad_InvalidState error is returned. If a transaction ... Server is responsible for managing the lifetime of the PrivateKeys associated with the Certificate . When the Certificate is deleted, the Server should delete the associated PrivateKey if no longer needed
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.8 GetCertificates

Description CertificateGroupId The identifier for the CertificateGroup . CertificateTypeIds The CertificateTypes that currently have a Certificate assigned. The length of this list is the same as the length as certificates list ... Certificates A list of DER encoded Certificates assigned to CertificateGroup . The CertificateType for the Certificate is specified by the corresponding element in the CertificateTypeIds parameter. Method Result Codes (defined
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.9 ApplyChanges

ApplyChanges The ApplyChanges Method is used to apply pending Certificate and TrustList updates and to complete a transaction as described in 7.10.2 . ApplyChanges returns Bad_InvalidState if any TrustList ... pending the result is Good and the transaction is closed. When a Server Certificate or TrustList changes active SecureChannels are not immediately affected. This ensures the caller of ApplyChanges
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.10 CreateSigningRequest

CreateSigningRequest CreateSigningRequest Method asks the Server to create a PKCS #10 DER encoded Certificate Request that is signed with the Server's private key. The Certificate Request can be then ... used to request a Certificate from a CA. Servers shall support a least one active and one new key pair for each combination of CertificateGroupId and CertificateTypeId . If this Method
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.12 GetRejectedList

rules are defined for how the Server updates this list or how long a Certificate is kept in the list. It is recommended that every valid but untrusted Certificate
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.19 ApplicationConfigurationDataType

ServerEndpoint (see 7.10.23 ) shall have a CertificateType slot compatible with the Server Certificate used for the current Session . If no such slot exists the configuration update is rejected. The TrustList ... associated with that CertificateGroup shall trust the Client Certificate used for the current Session. Updates to the configuration are applied in the following order: ApplicationIdentity CertificateGroups UserTokenSettings SecuritySettings ServerEndpoints ClientEndpoints
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.21 ApplicationIdentityDataType

application because the ApplicationUri does not match the ApplicationUri in the Certificate . Applications shall continue to use the invalid Certificates which allows the configuration Client , which is aware
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.24 SecuritySettingsDataType

with the CertificateGroup are ignored. If a SecurityPolicyUri is valid for more than one Certificate in the CertificateGroup, then an EndpointDescription is generated for each Certificate. EndpointDescriptions generated with
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.25 UserTokenSettingsDataType

verify credentials by either verifying that an X509IdentityToken is trusted or by using a Certificate in the TrustList to verify the Signature on an IssuedIdentityToken . The CertificateGroup is not specified
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.27 CertificateUpdatedAuditEventType

CertificateUpdatedAuditEventType This event is raised when a Certificate is actually changed as a result of a Method call. This is the result of a successful call to UpdateCertificate or ApplyChanges ... fails. If ApplyChanges affects multiple Certificates then this Event is raised for each changed Certificate . Its representation in the AddressSpace is formally defined in Table 119 . Table 119 - CertificateUpdatedAuditEventType Definition
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

8.1 Overview

directly passed to AuthorizationServices and/or Brokers and are not Certificates with private keys. Certificate distribution is managed by the Certificate management model described in 7 . For example, AuthorizationService s that
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

8.2 Roles and Privileges

Privilege grants an OPC UA Application the right to request its own KeyCredentials . The Certificate used to create the SecureChannel is used to determine the identity ... Privilege grants rights to request KeyCredentials for one or more OPC UA Applications. The Certificate used to create the SecureChannel is used to determine the identity
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

8.4 Push Management

KeyCredentials . For this reason, the Administration Component uses the GetEndpoints Service to read the Certificate from the Server before initiating the credential request on behalf of the Server . Security, when
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

8.5.5 StartRequest

KeyCredential . The KeyCredential secret may be encrypted with the public key of the Certificate supplied in the request. The SecurityPolicyUri specifies the security profile used for the encryption. This Method ... same as the application used to create the Secure Channel then a Certificate should be provided. PublicKey A Public Key used to encrypt the returned KeyCredential secret. For RSA SecurityPolicies
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

8.5.6 FinishRequest

FinishRequest FinishRequest is used to retrieve a KeyCredential . If a Certificate was provided in the request, then the KeyCredential secret is encrypted using an asymmetric encryption algorithm specified ... EncryptedSecret DataTypes defined in OPC 10000-4 . If the SecurityPolicyUri requires an RSA Certificate then the RsaEncryptedSecret DataType is used. If the SecurityPolicyUri requires an ECC Certificate then the EccEncryptedSecret
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

8.6.7 UpdateCredential

CredentialSecret. CredentialSecret The secret associated with the KeyCredential . CertificateThumbprint The SHA1 hash of the Certificate used to encrypt the secret. For RSA SecurityPolicies this shall be one of the ApplicationInstance ... Code Description Bad_InvalidArgument The CredentialId or CredentialSecret is not valid. Bad_CertificateInvalid The Certificate is invalid or it is not one of the Server's Certificates . Bad_SecurityPolicyRejected
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.2 Roles and Privileges

Requestor This Privilege grants an OPC UA Application the right to request AccessTokens . The Certificate used to create the SecureChannel is used to determine the identity
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.3 Implicit

Implicit The implicit authorization use case describes how the Client's ApplicationInstance Certificate and any UserIdentityToken associated with the Session is used to determine whether an AccessToken is permitted ... Target Server is configured out-of-band with the Certificate used to validate the AccessTokens issued by the Authorization Server
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.6.4 AuthorizationServiceType

instance of AuthorizationServiceType with instances of AuthorizationServiceConfigurationType (see 9.7.4 ). The ServiceCertificate Property contains the Certificate required to check any Signature that is included with the AccessTokens. The ServiceCertificate
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.6.6 StartRequestToken

SecurityPolicy: None Not Used Not Used UserName or IssuedToken SecurityPolicy: RSA Not Used A Certificate containing the PublicKey used to build the RsaEncryptedSecret defined in OPC 10000-4 . UserName ... Used An EphemeralKey used to build the EccEncryptedSecret defined in OPC 10000-4 . Certificate A cryptographically random value generated by the requestor. A cryptographically random value generated by the service
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.6.7 FinishRequestToken

authorize the AccessToken request. UserTokenSignature The Signature used to prove possession of a Certificate provided with an X509IdentityToken AccessToken . Otherwise, the parameter is null. AccessToken The AccessToken granted
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.7.5 AuthorizationServiceConfigurationDataType

AuthorizationServices folder to discover the NodeId assigned by the Server that is needed for Certificate Management Methods . Table 159 - AuthorizationServiceConfigurationDataType Structure Name Type Description AuthorizationServiceConfigurationDataType Structure ServiceUri 0:UriString ... ServiceCertificates 0:ServiceCertificateDataType[] A list of Certificates used by the AuthorizationService to verify AccessTokens . Certificate 0:ByteString The Certificate needed to verify AccessTokens issued by the AuthorizationService. Issuers 0:ByteString
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

A.1 Firewalls and Discovery

same HostName . A Server with multiple HostNames shall also return an ApplicationInstance Certificate that specifies the HostName used in the URL it returns. An Administrator may create a single Certificate ... used to access the Server is different from the HostNames in the Certificate . This is discussed in more detail in OPC 10000-4 . Administrators can set up a DiscoveryServer that
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

F.1 Certificate Store Directory Layout

Certificate Store Directory Layout A recommended directory layout for Applications that store their Certificates on a file system is shown in Table . The Local Discovery Server shall use this structure ... structure is based on the rules defined in OPC 10000-6 . Table F.1 - ApplicationInstance Certificate Store Directory Layout Path Description <root> A descriptive name for the TrustList
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

G.1 Application Setup with PullManagement

credentials if there is a process for manual review by a CertificateManager administrator. The Certificate is not issued until the CertificateRequest is approved. Once an application has received its first ... Certificate then the Certificate can be used in lieu of user credentials when the application has to renew its Certificate or update its TrustList
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

G.2 Application setup with the PushManagement

Applications that support PushManagement (see 7.4 ) to initialize their configuration shall have a default Certificate assigned before the PushManagement process can start. In addition, applications shall go into an application ... Client ApplicationUri to SecurityAdmin Role , remove Anonymous from SecurityAdmin Role ; Provide a new Certificate and TrustList ; Set the configuration flag to OFF. Subsequent updates to TrustLists or Certificates
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

H.2 Obtaining CA Certificates

Certificates EST OPC UA Compare the URL for the EST server with the HTTPS certificate returned in the TLS handshake. Compare the URL for the CertificateManager with ... Certificate returned in GetEndpoints . Preconfigure the client to trust the EST Server's HTTPS certificate. Preconfigure the client by adding the CertificateManager Certificate to the client TrustList . Manual approval
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

H.3 Initial Enrolment

operation to proceed. In OPC UA, a Method is used to request a Certificate . The CertificateManager also authenticates and authorizes the client before allowing the operation to proceed. Table ... Client is allowed to request Certificates EST OPC UA TLS with a client certificate which is previously issued by the EST server. The CertificateManager client has a previously certificate previously
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

7.3.2.4.1 General

same procedure for validation of the certificates (see Part 4 "Determining if a Certificate is Trusted" for more information on this). That is, the DefaultApplicationGroup Object is used ... Certificate and TrustList for DTLS communication. A separate certificate group may optionally be used for the DTLS transport. See Part 7 for information on what certificate types may be used
OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security

4.4.1 RoleType definition

UserIdentityToken complies with Identities. The Applications Property is not configured or the Client Certificate complies with the Applications settings. The Endpoints Property is not configured or the Endpoint used complies ... from this Role . Each element in the array is an ApplicationUri from a Client Certificate which is trusted by the Server . If Applications has entries in the array, the Role
OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security

4.4.3 IdentityMappingRuleType

criteriaType is Thumbprint , the criteria is a thumbprint of a user Certificate . For this criteria, the thumbprint shall be encoded as a hexadecimal string with upper case characters and without ... empty string. The criteriaType applies for any Client application with a trusted ApplicationInstance Certificate . The Client Certificate shall be trusted by the Server and the Session shall use at least
OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security

4.4.4 IdentityCriteriaType

UserName from a UserNameIdentityToken . Thumbprint 2 The rule specifies the Thumbprint of a user Certificate . Role 3 The rule is a Role specified in an Access Token . GroupId ... application identity. X509Subject 8 The rule specifies the X509 subject name of a user Certificate or the issuerof the user Certificate . TrustedApplication 9 The rule specifies any trusted application that
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

3.1.8 Device

generic computer or mobile device may be a Device if it has a DeviceIdentity Certificate
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

3.1.10 DeviceIdentity Certificate

DeviceIdentity Certificate a Certificate issued to a Device that identifies the Device . Note 1 to entry: All DeviceIdentity Certificates have the ProductInstanceUri as a subjectAltName . Note 2 to entry ... Note 3 to entry: The ProductInstanceUri is the ApplicationUri when the DeviceIdentity Certificate is used to create a SecureChannel
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.1 Device Lifecycle

Device Lifecycle Stage Description Device Manufacture A Device is created and a DeviceIdentity Certificate is assigned. This Certificate is provided when the Device is transferred to other actors. During Device
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.3.2 Onboarding

described in PullManagement ( 7.2 ) or PushManagement ( 7.3 ). These interactions are secured with a DeviceIdentity Certificate . After authentication completes, the DCA is issued a Certificate by the Registrar that allows
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.3.3 Application Setup

Application Setup Application Setup is the process of issuing an Application Instance Certificate and a TrustList to one or more Applications running on a Device that will allow the Applications ... described in OPC 10000-12 . During the Onboarding step, the DCA is issued a Certificate that allows it to request or accept Certificates on behalf of any Application running
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.3.5 Operation

this stage it is possible to update the TrustList and/or renew the Application Instance Certificate using the CertificateManager PushManagement or PullManagement described in OPC 10000-12 . Some Devices may allow
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

5.1 Device Identity

Device Identity Every Device shall have an "Initial Device Identifier" (IDevID) Certificate (see 802.1AR ) that is used to prove the origin of the Device . This identity shall ... include a Private Key and an X.509v3 Certificate . IDevID Certificate should have the ProductInstanceUri (see 5.2 ) as a uniformResourceIdentifier in the subjectAltName field (see RFC 5280 ). If the IDevID Certificate
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

5.3 Composite Identity

Composite . A Device which is visible on an external network may have an LDevID Certificate (see 802.1AR ) created by the CompositeBuilder that can be used to prove the Device ... that identify the Devices as a component of the container Composite . The additional LDevID Certificate has the Device ProductInstanceUri and the CompositeInstanceUri for the containing Composite. The CompositeBuilder is responsible
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

6.1 Tickets

origin of the Device . Tickets are long lived documents which means the signing Certificate should be issued by a widely trusted root Certificate Authority that is likely ... root CA owned by the Manufacturer or CompositeBuilder . Tickets are typically signed with a Certificate issued to the Manufacturer by a well-known root CA. Issuer Certificates for Certificates used
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

6.2 Ticket Distribution

wish to validate them immediately and add a Signature with their own Certificate. A Signature shall only be applied to a Ticket that has been validated. This allows the Device ... expiring Certificates by periodically re-validating and adding a new Signature before the previous Certificate that created the previous Signature expires. The re-signed Tickets should be stored in systems
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

6.3 Authentication

configured to use any of its DeviceIdentity Certificates as its Application Instance Certificate . Note that DeviceIdentity Certificates will not have a DNS name or IP address because these values ... known when the DeviceIdentity Certificate is created. Therefore, the Registrar shall suppress host name validation errors when communicating with a DCA. The Registrar should verify that the DCA is running
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

6.4 Acquiring and Validating Tickets

authority. The steps to validate a Ticket are as follows: Verify that a signing Certificate is valid and trusted; Verify the Signature is valid; Tickets that are not valid shall ... confident that the authority is properly validating Tickets before adding a Signature . A signing Certificate is trusted if it is valid and the Certificate is recorded as a trusted Ticket
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.1 Overview

Ticket if it has not already been validated (see 6.4 ); Select and Validate DeviceIdentity Certificate that matches the Ticket ; Establish a secure connection to the Device using the selected DeviceIdentity ... Certificate. Issue a DCA Application Instance Certificate to the Device that indicates that it has been authenticated. The initial communication between the Registrar and the Device is secured with
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.2 Pull Management

Device specific mechanism. The sequence automatically repeats until the Device receives its DCA Certificate and no software update is required. Any errors occur the sequence restarts from the beginning. Note ... until it finds one that accepts it and allows it to request a DCA Certificate and a TrustList . Once configured, the DCA shall not attempt to connect to Registrars that
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.3 Push Management

returned by GetEndpoints . The Registrar looks for a pre-validated Ticket that matches the Certificate in one of the Endpoints . If none found it chooses any one and establishes ... needs to validate the Tickets returned by the Device which requires access to the Certificate that created one of the Signatures and the ability to check its revocation status
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.4.1 Overview

other cases, the alternate mechanism will only authenticate the Device and install a single Certificate . In these cases, the mechanism described in this specification takes over and manages the life ... Authentication Service to verify the authenticity of the Device and supply a Certificate to the DCA that is trusted by the Registrar, SoftwareUpdateManager and CertificateManager . This Certificate shall also contain
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.4.2.2 Integration with the Registrar

with the FDO Protocol Specifically, the FDO Owner supplies the FDO device with a Certificate that can be used to create a SecureChannel with the Registrar . The Registrar is preconfigured ... with the CA Certificate used by the FDO Owner to issue the Certificates to authenticated FDO Devices. The FDO Owner uses a FSIM (fdo.csr) that creates a new LDevID that
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

8.1 Signed Ticket Encoding

then BASE64URL before being added to the document. The protected header specifies the signing Certificate and other information needed to verify the Signature . The required fields are defined in Table ... Devices incorporated into the Composite. The protected header shall have the CompositeInstanceUri . The Certificate and algorithms used to create the payload Signature are the same as the Certificate and algorithms
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

8.2.6 CertificateAuthorityType

CertificateAuthorityType The CertificateAuthorityType describes a Certificate Authority (CA) used to issue Certificates to Devices , Composites or to organizations that create Tickets . The fields of this DataType are defined in Table ... Structure DataType defined in OPC 10000-5 . authorityCertificate 0:ByteString The DER encoded Certificate used to issue Certificates. issuerCertificates 0:ByteString [] The DER encoded form of the Issuer
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

9.2.3 ProvideIdentities

available Tickets . Tickets that cannot be verified are ignored. selectedIdentity The DER encoded DeviceIdentity Certificate that the DCA needs to use to complete the registration process. matchingTicket The Ticket describing
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

9.2.10 DeviceRegistrarAdminType

Device provides a Ticket, it is accepted automatically if and only if the signing Certificate is in this list. The DeviceIdentityAuthorities Object allows an RegistrarAdmin manage the trusted DeviceIdentity Certificates
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

9.2.14 DeviceIdentityAcceptedAuditEventType

Registrar finds a matching validated Ticket and is able to validate a DeviceIdentity Certificate . This Event and it subtypes are security related and Servers shall only report them to Sessions ... Modelling Rule Subtype of the 2: DeviceRegistrationAuditEventType defined in 9.2.13 0:HasProperty Variable 2:Certificate 0:ByteString 0:PropertyType Mandatory 0:HasProperty Variable 2:Ticket 0:EncodedTicket 0:PropertyType Mandatory
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

9.3.3 ProvisionableDeviceType

operational Server are the same. If TRUE, it tells Registrar that the DCA Certificate shall have rights associated with a Application Instance Certificate (i.e., it cannot be used to access