Search

Scope: Core (OPC-10000-*) All specs

53 result(s) for CertificateManager

OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

3.1.1 CertificateManager

CertificateManager a software application that manages the Certificates used by Applications in an administrative domain
OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model

8.1 Overview

Discovery Services for a plant or entire system. In addition, This Server can include CertificateManager , KeyCredentialService and AuthorizationService (defined in OPC 10000-12 ). There are multiple methods of accessing ... Clients can query the GDS for available Servers Clients can pull certificates from the CertificateManager Servers can pull certificates from the CertificateManager The CertificateManager can push certificates to a Server
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

5.5.1 Overview

DiscoveryEndpoint . If GetEndpoints is disabled and the Server Certificate is updated either automatically with Certificate Manager or manually, Clients will no longer be able to connect to the Server without ... CreateSession response. A Client shall verify that: The ApplicationUri specified in the Server Certificate is the same as the ApplicationUri provided in the EndpointDescription returned from CreateSession response . The Server
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.1.2 Obtaining and installing an ApplicationInstanceCertificate

Certificate Authority is recommended. This includes initial roll-out and automatic updates by a CertificateManager defined in OPC 10000-12 . If the administrator responsible for the application decides that ... Applications with a central discovery service and to execute the interaction necessary with a CertificateManager to issue the initial Certificate Authority signed Certificate , The CertificateManager interface includes features
OPC-10000-4 – OPC Unified Architecture - Part 4: Services

6.6.2.1 General

transparent redundant Servers are managed independently by a CertificateManager since every Server in a redundant set has its own ApplicationUris and its own certificates. The transparent redundant Servers are managed ... application by the CertificateManager . A update of the certificate must be synchronized internally by the Servers in the redundant
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

3.1.8 GlobalDiscoveryServer (GDS)

discovery and security management. Note 1 to entry: a GDS may also be a CertificateManager . Note 2 to entry: a GDS may also be a KeyCredentialService . Note 3 to entry
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

3.1.9 GlobalService

centrally managed Capabilities needed for a system. Note 1 to entry: a GlobalDiscoveryServer , a CertificateManager , a KeyCredentialService and an AuthorizationService are all examples of GlobalServices
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

6.4 Application Registration Workflow

Registration end options The following options are possible to complete the registration with the CertificateManager : Continue with PullManagement using the existing connection to the GDS. This option is typically used ... Configure PushManagement For option (3) the application must be configured for PushManagement in the CertificateManager . The configuration of the PushManagement in the CertificateManager is currently not in the scope
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

6.5.8 UnregisterApplication

still registered with its local LDS. If an application has Certificates issued by the CertificateManager , these Certificates shall be revoked when this Method is called. If un-registration was successful
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.1 Overview

Applications. An application that provides the certificate management functions is called CertificateManager . GDS and CertificateManager will typically be combined in one application. The basic concepts regarding Certificate management are described ... PullManagement , the application acts as a Client and uses the Methods on the CertificateManager to request and update Certificates and TrustLists . The application is responsible for ensuring the Certificates
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.2 Roles and Privileges

CertificateManagers are listed in Table 18 . Table 18 - Well-known Roles for a CertificateManager Name Description CertificateAuthorityAdmin This Role grants rights to request or revoke any Certificate , update any TrustList ... requests. SecurityAdmin This Role grants the right to change the security configuration of a CertificateManager . The well-known Roles for Server managed by a CertificateManager are listed in Table
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.3 Pull Management

Pull Management PullManagement is performed by using the CertificateManager information model, in particular the Methods defined in 7.9 . The interactions between application and CertificateManager during PullManagement are illustrated in Figure ... Certificates issued to an application with access to the ApplicationAdmin Privilege (see 6.2 ). The CertificateManager shall ensure that any application with a Certificate issued by the CertificateManager may connect securely
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.4 Push Management

Push Management PushManagement is targeted at applications that can be configured with a CertificateManager or agent acting as a Client . The Methods defined in 7.10 are used to create ... CertificateRequest which can be passed onto the registration authority managed by the CertificateManager . After the registration authority signs the Certificate, the new Certificate is pushed to the Server with
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.6 Pull Management Workflow

Pull Management Workflow In this workflow the application that gets Certificates from the CertificateManager is the Client that executes the workflow and the CertificateManager is the Server processing the request ... workflow. The application is authenticated with the Certificate signed by the CertificateManager (or the Certificate assigned during registration). The UserTokenType is always Anonymous using the ApplicationSelfAdmin Privilege . The workflow
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.7.2 Update Certificates Workflow

Update Certificates Workflow This workflow is started if the CertificateManager determines that an update to one or more Certificates used for an existing Endpoints is required. It is shown ... PushManagement Update Workflow Steps Step Description Initial Conditions The update is triggered when the CertificateManager becomes aware that one or more Certificates need to be updated. Possible trigger mechanisms include
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.7.3 Update TrustList Workflow

Update TrustList Workflow The Update TrustList workflow starts if the CertificateManager determines that an update to an existing TrustList is required. This update can be part of another workflow ... Update TrustList Workflow Steps Step Description Initial Conditions The update is triggered when the CertificateManager needs to update a TrustList as part of a larger workflow. The CertificateGroupId is determined
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.7.4 Update Single Certificate Workflow

workflow is part of the Update Certificates workflow in 7.7.2 . It starts when the CertificateManager determines that an update to a Certificate assigned to a CertificateGroup is required ... Update Certificate Workflow Steps Step Description Initial Conditions The update is triggered when the CertificateManager needs to update a Certificate as part of a larger workflow. The CertificateGroupId and CertificateTypeId
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.7.5 Create Endpoint Workflow

Create Endpoint Workflow The Create Endpoint workflow starts if the CertificateManager determines it needs to create a new Endpoint. This update is always part of another workflow. It is shown ... administrator decides that a new Endpoint needs to be created and instructs the CertificateManager to create it. The CertificateManager needs to have a DiscoveryUrl for the Server and should already
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.7.6 Update Configuration Workflow

PushManagement Update Configuration Workflow Steps Step Description Initial Conditions The workflow starts when a CertificateManager has completed updates to a local copy of the ApplicationConfiguration . A Session with SecurityAdmin access ... Object belongs to the ApplicationConfiguration being updated. It may be the Server that the CertificateManager is connected to or another application being managed by the Server . ConfigurationFileType::Open The ConfigurationFile
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.2.1 TrustListType

This type defines a FileType that can be used to access a TrustList . The CertificateManager uses this type to implement the Pull Model. Servers use this type when implementing ... TrustListType shall restrict access to appropriate users or applications. This may be a CertificateManager administrative user that can change the contents of a TrustList , it may be an administrative user
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.8.3.1 CertificateGroupType

which has multiple TrustLists and/or ApplicationInstance Certificates to express them in its AddressSpace . A CertificateManager can have many CertificateGroups which manage CertificateTypes and TrustLists for the applications in the system ... mapping between a CertificateGroup in a Server and a CertificateGroup in the CertificateManager . The mechanisms for creating that mapping are outside the scope of this specification. This type is defined
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.2 CertificateDirectoryType

CertificateDirectoryType This ObjectType is the TypeDefinition for the root of the CertificateManager AddressSpace . It provides additional Methods for Certificate management which are shown in Table 74 . Table 74 - CertificateDirectoryType ObjectType ... Certificate Manager Pull Model The CertificateGroups Object organizes the CertificateGroups supported by the CertificateManager . It is described in 7.8.4.10 . CertificateManagers shall support the DefaultApplicationGroup and may support the DefaultHttpsGroup
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.3 StartSigningRequest

NodeId RequestId ); Argument Description ApplicationId The identifier assigned to the application record by the CertificateManager . CertificateGroupId The NodeId of the CertificateGroup which provides the context for the new request ... null the CertificateManager shall choose the DefaultApplicationGroup . CertificateTypeId The NodeId of the CertificateType for the new Certificate . If null the CertificateManager shall generate a Certificate based on the value
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.4 StartNewKeyPairRequest

NodeId RequestId ); Argument Description ApplicationId The identifier assigned to the application by the CertificateManager . CertificateGroupId The NodeId of the CertificateGroup which provides the context for the new request. If null ... CertificateManager shall choose the DefaultApplicationGroup . CertificateTypeId The NodeId of the CertificateType for the new Certificate . If null the CertificateManager shall generate a Certificate based on the value of the CertificateGroupId
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.5 FinishRequest

used to call StartSigningRequest or StartNewKeyPairRequest . If auditing is supported, the CertificateManager shall generate the CertificateDeliveredAuditEventType (see 7.9.13 ) if this Method succeeds. Method Result Codes (defined in Call Service) Result ... UserAccessDenied The current user does not have the rights required. Bad_RequestNotAllowed The CertificateManager rejected the request. The text associated with the error should indicate the exact reason. Bad_SecurityModeInsufficient
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.6 RevokeCertificate

RevokeCertificate The RevokeCertificate Method is used to revoke a Certificate issued by the CertificateManager . When a Certificate is revoked it shall be removed from any TrustLists that ... that has access to the CertificateAuthorityAdmin Role (see 7.2 ). If auditing is supported, the CertificateManager shall generate the CertificateRevokedAuditEventType on success. Signature RevokeCertificate ( [in] NodeId ApplicationId [in] ByteString Certificate ); Argument
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.8 GetCertificates

CertificateGroupId An identifier for the CertificateGroup that the Certificates belong to. If null, the CertificateManager shall return the Certificates for all CertificateGroups assigned to the application. CertificateTypeIds The CertificateTypes that
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.9 GetTrustList

CertificateGroupId An identifier for a CertificateGroup that the application belongs to. If null, the CertificateManager shall return the TrustListId for a suitable default group for the application. TrustListId The NodeId
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.10 GetCertificateStatus

CertificateGroupId The NodeId of the CertificateGroup which provides the context. If null the CertificateManager shall choose the DefaultApplicationGroup . CertificateTypeId The NodeId of the CertificateType for the Certificate . If null ... CertificateManager shall select a Certificate based on the value of the CertificateGroupId argument. UpdateRequired TRUE if the application has to request a new Certificate from the GDS. FALSE
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.11 CheckRevocationStatus

TrustList is configured to require online Certificate revocation checks (see 7.8.2.1 ). The CertificateManager will typically use a protocol such as OCSP (see RFC 6960) to verify the Certificate status using ... status check (see OPC 10000-4 ) on the Certificate before calling this Method . The CertificateManager shall check the Signature on the Certificate and may do additional validation. This Method shall
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.12 CertificateRequestedAuditEventType

raised when a new certificate request has been accepted or rejected by the CertificateManager . This can be the result of a StartNewKeyPairRequest or StartSigningRequest Method calls. Its representation
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.13 CertificateDeliveredAuditEventType

CertificateDeliveredAuditEventType This event is raised when a certificate is delivered by the CertificateManager to a Client . This is the result of a FinishRequest Method completing successfully. Its representation
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.9.14 CertificateRevokedAuditEventType

CertificateRevokedAuditEventType This event is raised when a certificate is revoked by the CertificateManager . This is the result of a RevokeCertificate Method completing successfully. Its representation in the AddressSpace is formally
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

7.10.3 ServerConfigurationType

applications often have network endpoints, however, from the perspective of the CertificateManager , the applications are not Servers. The ApplicationNames Property is a list of localized names for the application that
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

9.6.4 AuthorizationServiceType

revoked or otherwise invalid before returning any AccessToken to Clients . When a CertificateManager pushes the configuration to a target Server , the CertificateManager is responsible for verifying the ServiceCertificate and automatically
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

G.1 Application Setup with PullManagement

PullManagement (see 7.3 ) to setup their configuration shall know the location of the CertificateManager which they can use to request Certificates and download TrustLists . This location may be auto-discovered ... page. Once the location is known the application can connect to the CertificateManager and establish a SecureChannel . The application may choose to connect even if it has not been
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

G.2 Application setup with the PushManagement

installer will know the CA used to sign the Certificate used by the CertificateManager and can add this CA to the application's TrustList during installation. If practical, this approach ... against accidental configuration by malicious Clients. If the device is automatically discovered by the CertificateManager the CertificateManager needs some way to ensure that the device belongs on the network
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

H.1 Overview

Capabilities provided by EST and how the same Capabilities are provided by the CertificateManager defined
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

H.2 Obtaining CA Certificates

returns the CA certificates. In OPC UA the CA Certificates are returned when the CertificateManager client reads the TrustList assigned to the application from the CertificateManager . Prior to these operations ... provide CAs. Table compares how EST clients verify the EST server with how CertificateManager clients verify a CertificateManager . Table H.1 - Verifying that a Server is allowed to Provide Certificates
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

H.3 Initial Enrolment

proceed. In OPC UA, a Method is used to request a Certificate . The CertificateManager also authenticates and authorizes the client before allowing the operation to proceed. Table H.2 compares ... Servers verify the EST client with how a CertificateManager verifies a CertificateManager client. Table H.2 - Verifying that a Client is allowed to request Certificates EST OPC UA TLS with
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

H.5 Server Key Generation

specified with the PrivateKeyFormat parameter and the set of envelope formats supported by the CertificateManager is published in the AddressSpace . It is expected that the envelope format will specify
OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services

H.6 Certificate Signing Request (CSR) Attributes Request

publish extensions. Clients are free to include additional metadata in the CSR, however, the CertificateManager may ignore it. There is no mechanism in OPC UA to publish the algorithms which ... used for the CSR, however, the CertificateManager will reject CSRs that do not meet its requirements
OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub

7.3.2.4.1 General

order to manage these certificates the DTLS Transport requires the OPC UA GDS CertificateManager. Pull Management or Push Management of certificates shall be supported by any Publisher or Subscriber that ... supports the DTLS Transport (see Part 12 for more information on the CertificateManager ). DTLS makes use of the same Certificates and Trust List that are used for OPC UA Client
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.3.3 Application Setup

other OPC UA Applications running on the network. These mechanisms are provided by the CertificateManager Information Model and are described in OPC 10000-12 . During the Onboarding step ... running on the Device . If the DCA is a Client it can connect to CertificateManager and request the additional Certificates and TrustLists without the need for additional approvals
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

4.3.5 Operation

possible to update the TrustList and/or renew the Application Instance Certificate using the CertificateManager PushManagement or PullManagement described in OPC 10000-12 . Some Devices may allow the Application configuration
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

6.3 Authentication

shall not be used for communication with any application other than the Registrar , SoftwareUpdateManager, CertificateManager or a configuration application that acts on behalf of those agents. The CertificateManager shall restrict
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.2 Pull Management

Note that the DCA does not call RegisterApplication on the CertificateManager since the Registrar does that on behalf of the DCA when it finds a valid Ticket for the Device ... Note that the Methods exposed by the Registrar rather than the CertificateManager . The expectation is the Registrar and the CertificateManager share a common backend so Certificates and Applications created
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.3 Push Management

behalf calls UpdateSoftwareStatus Method on the Registrar . Once the Device has updated software the CertificateManager will be able to push Application Instance Certificates and TrustLists for all Applications exposed
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

7.4.1 Overview

supply a Certificate to the DCA that is trusted by the Registrar, SoftwareUpdateManager and CertificateManager . This Certificate shall also contain a ProductInstanceUri (see 5.2 ) which uniquely identifies the Device ... request Certificates and TrustLists on behalf of those Applications . The location of the CertificateManager is returned by the GetManagers Method . The DCA can use the mechanisms defined
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

9.2.2 DeviceRegistrarType

single Call request. The GetManagers Method returns the location of the SoftwareUpdateManager and CertificateManager which an authenticated DCA needs to use to complete the onboarding process. The RegisterManagedApplication Method allows
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

9.2.3 ProvideIdentities

Ticket describing the Device which the Registrar accepted. applicationId The identifier assigned by the CertificateManager to the Device . This identifier is needed to request Certificates from the CertificateManager . softwareUpdateManager
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

9.2.7 ManagerDescription

location of a manager on the network such as a SoftwareUpdateManager or a CertificateManager . The following purposeUris are defined by this specification: http://opcfoundation.org/UA/Onboarding/CertificateManager http://opcfoundation.org/UA/Onboarding/SoftwareUpdateManager Other purposes
OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding

9.2.8 RegisterManagedApplication

application that it manages. The Registrar creates whatever records are needed in the CertificateManager and returns the ApplicationIds which are needed to request Certificates and TrustLists for the Application