Search

121 result(s) for certificates

• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  5.7.3 Certificate management
  Certificate management OPC UA Applications rely on Digital ( X.509 ) Certificates as the basis for trust. In systems it is highly desirable to assign and manage the Certificates used
• OPC-10000-1 – OPC Unified Architecture - Part 1: Overview and Concepts
  5.7.6 Device Onboarding
  network so that OPC UA Applications can be installed, updated, and provisioned with Certificates over the network
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  3.1.37 Public Key Infrastructure
  hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke Certificates based on Asymmetric Cryptography Note 1 to entry: The core PKI functions are to register ... users and issue their public-key Certificates , to revoke Certificates when required, and to archive data needed to validate Certificates . Key pairs for data Confidentiality could be generated
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.5.2.3 Session communication layer
  SecureChannel provides encryption to maintain Confidentiality , Message Signature s to maintain Integrity and Certificates to provide application Authentication. In addition, the SecureChannel provides Perfect Forward Secrecy when the SecureChannel
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  4.13 OPC UA security related Services
  Certificate s of the OPC UA Server by the previously mentioned discovery services. These Certificates contain the Public Keys of the OPC UA Server . For Rivest-Shamir-Adleman
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  5.2.5 Confidentiality
  certificate chain is defined by the site CSMS (only local TrustList with self-signed Certificates or a full CA/CRL infrastructure
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.1 Overview
  They are used for establishing a secure connection using Asymmetric Cryptography. These ApplicationInstanceCertificates are Certificates which are X.509 v3 Certificates and contain a list of data items that are defined ... These data items describe the ApplicationInstance that the Certificate is assigned to. The Certificates include a Digital Signature by the generator of the Certificate . This Digital Signature can be self
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.2 Self signed certificate management
  installation is the effort required to deploy and maintain the Certificates. The choice of when to use a CA issued Certificate versus a self-signed Certificate depends on the installation ... illustrates the work that is required to maintain the TrustList for self-signed Certificates . Figure 11 - Manual Certificate handling An administrator would be required to copy the Public Key associated
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.3 CA Signed Certificate management
  locations. The company specific CA allows the company to control the issuing of Certificates . The use of a commercial CA (such as VeriSign) would not be recommended in most cases ... trust only the other applications determined by the Company as trusted. If all Certificates issued by a commercial CA were to be trusted then the commercial CA would be controlling
• OPC-10000-2 – OPC Unified Architecture - Part 2: Security Model
  9.4.2 Certificate management for developers
  SecurityPolicies that an OPC UA Application supports, the Application could require multiple Certificates and TrustLists . This is required if both ECC and RSA endpoints are exposed. From a security point ... Authority (CA) is an administrator or organization which is responsible for creating and managing Certificates (it is usually a partially automated software product). The Certificate Authority verifies that Claims placed
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.5.4.1 Description
  gatewayServerUri is specified in the EndpointDescription and all security checks used to verify Certificates shall use the gatewayServerUri (see 6.1.3 ) instead of the serverUri . To connect to a Server
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.6.2.1 Description
  used in the OpenSecureChannel Service , then Clients and Servers shall verify that the same Certificates are used in the CreateSession and ActivateSession Services . Certificates are not provided and shall
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  5.7.2.1 Description
  supported by the Server . OPC UA Profiles are defined in OPC 10000-7 . Additional Certificates issued by other organizations may be included to identify additional Server capabilities. Examples of these
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.2 Obtaining and installing an ApplicationInstanceCertificate
  Certificate Authority ; A digital signature created by the Certificate Authority . Note Self-signed Certificates contain this information but in this case the information is set to itself. In addition, each ... private key assigned to the Certificate shall be used to create the Certificate signature. Certificates created in this way are called self-signed Certificates . Manual management and replacement before expiry
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.3 Determining if a Certificate is trusted
  only trusted if its chain can be validated. Applications shall rely on lists of Certificates provided by the Administrator to determine trust. There are two separate lists: a list ... trusted Certificates and a list of issuer Certificates (i.e. CAs). The list of trusted Certificates may contain a Certificate issued to another Application or it may be a Certificate belonging
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.4 Creating a SecureChannel
  SecureChannel before creating a Session . This SecureChannel requires that both applications have access to Certificates that can be used to encrypt and sign Messages exchange. The ApplicationInstanceCertificates installed by following ... local machine, then the Client and Server shall still validate the application Certificates using that key. The figure shows only one CA, however, there is no requirement that the Client
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.5 Creating a Session
  sort. The Client and Server shall prove possession of their ApplicationInstanceCertificates by signing the Certificates with a nonce appended. The exact mechanism used to create the proof of possession signatures
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.1.8 Calculating Signatures used in CreateSession and ActivateSession
  ActivateSession . The new Signature calculation algorithm, called channel bound Signatures , requires that the Certificates used to establish the SecureChannel be used in the calculation. Certificates that are passed as parameters ... only accepted as correct when they are exchanged over a SecureChannel using the Certificates used to create it. The calculation method uses the following values: The ChannelThumbprint ; The Server SecureChannel
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.2.3 Direct handshake with an Identity Provider
  linked with the GDS, it knows of all Servers which have been issued Certificates . The ApplicationUri is used as the identifier for the Server passed to the AS. The identity
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  6.6.2.3.2 Server requirements
  Servers have the identical EndpointUrl . This includes all other EndpointDescriptions content like identical Certificates and security settings. How this virtual network address is created and managed is vendor specific. There
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.3 ApplicationInstanceCertificate
  networks. The hostname may be a numeric network address or a descriptive name. Server Certificates should have at least one hostname defined. publicKey ByteString The public key associated with
• OPC-10000-4 – OPC Unified Architecture - Part 4: Services
  7.41 UserTokenPolicy
  choice of SecurityPolicy is system specific and depends on the infrastructure that issue the Certificates to users. If the system supports multiple PublicKey algorithms for user Certificates then the Server
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.1 Security Handshake and Security Policies
  derived key used for Message authentication. CertificateSignatureAlgorithm The asymmetric signature algorithm used to sign certificates. CertificateKeyAlgorithm The algorithm used to create asymmetric key pairs used with Certificates . EphemeralKeyAlgorithm The algorithm ... specified by the DerivedSignatureKeyLength . The MinAsymmetricKeyLength and MaxAsymmetricKeyLength are constraints that apply to all Certificates (including Issuers in the chain). In addition, the key length of issued Certificates shall
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.2.1 General
  General Certificates are digitally signed data structures that contain a Public Key and the identity of a OPC UA Application . All SecurityProtocols use X.509 v3 Certificates (see X.509 v3 ) encoded ... using the DER format (see X.690 ). Certificates used by OPC UA applications shall also conform to IETF RFC 5280 which defines a profile for X.509 v3 Certificates when they
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.2.2 Application Instance Certificate
  keyUsage shall include digitalSignature. Other keyUsage bits are allowed but not recommended. Self-signed Certificates shall also include keyCertSign. extendedKeyUsage keyUsage Specifies additional limits on how the Certificate ... information about the key used to sign the Certificate . It shall be specified for Certificates signed by a CA. It should be specified for self-signed Certificates . basicConstraints (No mapping
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.2.3 User Certificates
  User Certificates A User Certificate is a Certificate is issued by certifying authority and identifies a user. The X.509 v3 fields in a User Certificates with specific requirements are shown ... valid chains that include this Certificate . The cA flag shall be FALSE for User Certificates . The pathLength shall not be present
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.2.4 Issuer (CA) Certificates
  Issuer (CA) Certificates An Issuer or CA Certificate is an X.509 v3 Certificate that identifies an authority that issues Certificates . An Issuer Certificate may identify a root ... intermediate CA. Certificates that identify root CAs are self-signed Certificates . Certificates that identify intermediate CAs are issued by authority identified by an intermediate CA or root CA. The X.509
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.2.5 Certificate Revocation List (CRL)
  issued by certifying authority and contains the serial numbers of the Certificates issued by that authority which are no longer valid. All CRLs shall have the extension defined in Table
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.2.6 Certificate Chains
  validates a Certificate (see OPC 10000-4 ) it shall recursively build a chain of Certificates by finding the issuer Certificate , validating the Certificate and then repeat the process ... stored in a ByteString by simply appending the DER encoded form of the Certificates . The first Certificate shall be the end Certificate followed by its issuer. If the root
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.3 Time synchronization
  communicating machines be reasonably synchronized in order to check the expiry times for Certificates or CRLs . In addition, incorrect Timestamps on Data and Events could create interoperability issues. The Network ... clocks can drift over time. Applications should log possible time synchronization errors. For example, Certificates or CRLs with ValidFrom times in the future could indicate a time synchronization issue
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  6.7.2.3 Security Header
  Certificate that can be added without exceeding the MaxSenderCertificateSize limit). Receivers can extract the Certificates from the byte array by using the Certificate size contained in DER header (see X.509
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.1.3 Establishing a connection
  negotiated; however, the Server application shall provide the Stack with the list of trusted Certificates . The Stack shall provide notifications to the Server application whenever it receives an OpenSecureChannel request
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.4.1 Overview
  machine. This means that a Server with multiple DNS names can have multiple HTTPS certificates. If multiple Servers are on the same machine they may share HTTPS certificates. This means ... that ApplicationCertificates are not the same as HTTPS Certificates . Applications which use the HTTPS transport and require application authentication shall check application Certificates during the CreateSession / ActivateSession handshake. HTTPS Certificates
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  7.5.3 Security
  Clients that are able to override the Certificate validation procedure can choose to accept Certificates with a domain mismatch. When using the WebSockets transport from a web browser the browser ... Client may use its Certificate as the TLS Certificate and Servers shall accept those Certificates if they are valid according to the OPC UA Certificate validation rules. Some operating systems
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  E.4 CertificateStoreIdentifier
  CertificateStoreIdentifier The CertificateStoreIdentifier element describes a physical store containing X.509 v3 Certificates. The elements contained in a CertificateStoreIdentifier are described in Table E.4 . Table E.4 - CertificateStoreIdentifier Element Type Description StoreType ... syntax for different StoreTypes. ValidationOptions CertificateValidationOptions The options to use when validating the Certificates contained in the store. The possible options are described in E.6 . All Certificates are placed
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  E.5 CertificateList
  CertificateList The CertificateList element is a list of Certificates . The elements contained in a CertificateList are described in Table E.5 . Table E.5 - CertificateList Element Type Description Certificates CertificateIdentifier [] The list ... Certificates contained in the Trust List ValidationOptions CertificateValidationOptions The options to use when validating the Certificates contained in the store. These options only apply to Certificates that have ValidationOptions with
• OPC-10000-6 – OPC Unified Architecture - Part 6: Mappings
  E.6 CertificateValidationOptions
  CheckRevocationStatusOffline bit is set. Otherwise, validation fails. This option is specified for Issuer Certificates and used when validating Certificates issued by that Issuer. CheckRevocationStatusOffline 4 Check the revocation status offline ... Validation fails if a CRL is not found. This option is specified for Issuer Certificates and used when validating Certificates issued by that Issuer . UseDefaultOptions 5 If set the CertificateValidationOptions
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  3.1.1 CertificateManager
  CertificateManager a software application that manages the Certificates used by Applications in an administrative domain
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  5.3.5 Domain Names and MulticastSubnets
  sufficient check against rogue Servers or man-in-the-middle attacks when Server Certificates do not contain fully qualified domain names. The Certificate trust relationship established by administrators
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.5.5 ApplicationRecordDataType
  first HTTPS URL specifies the domain used as the Common Name of HTTPS Certificates . ServerCapabilities String[] The list of server capability identifiers for the application. The allowed values are defined
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  6.5.8 UnregisterApplication
  Server application is still registered with its local LDS. If an application has Certificates issued by the CertificateManager , these Certificates shall be revoked when this Method is called
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.1 Overview
  Overview Certificate management functions comprise the management and distribution of certificates and TrustLists for OPC UA Applications. An application that provides the certificate management functions is called CertificateManager ... Client and uses the Methods on the CertificateManager to request and update Certificates and TrustLists . The application is responsible for ensuring the Certificates and TrustLists are kept up to date
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.3 Pull Management
  during PullManagement are illustrated in Figure 13 . Figure 13 - The Pull Management Model for Certificates The Application Administration component may be part of the Client or Server or a standalone ... configuration information in its Configuration Database. A similar process is used to renew certificates or to periodically update TrustList . Security in PullManagement requires an encrypted channel and authorized credentials. These
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.4 Push Management
  before the sequence in the diagram starts. A similar process is used to renew certificates or to periodically update TrustList . In Figure 14 the TrustList update is shown to happen ... configuration tool. OPC 10000-21 defines a mechanism to install administrative Client Certificates into the Server TrustList
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.5 Application Setup
  Server or Client into a system in which a GDS is available and managing Certificates . Applications using a Client interface can be setup using the PullManagement . Applications using a Server ... example, a machine vendor may use a CA that is used to issue Certificates to Applications used by their field technicians. For embedded devices, the Server should allow any Client
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.6 Pull Management Workflow
  Pull Management Workflow In this workflow the application that gets Certificates from the CertificateManager is the Client that executes the workflow and the CertificateManager is the Server processing the request ... result, a new request must be sent in the next cycle GetTrustList If all Certificates for a CertificateGroup are up-to-date, the TrustList is checked for updates by calling
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.7.2 Update Certificates Workflow
  Update Certificates Workflow This workflow is started if the CertificateManager determines that an update to one or more Certificates used for an existing Endpoints is required. It is shown ... boxes with blue text indicate Method calls. Figure 17 - PushManagement Update Multiple Certificates Workflow The steps of the workflow are described in Table 22 . Table 22 - PushManagement Update Workflow Steps
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.7.5 Create Endpoint Workflow
  step completes the CertificateManager disconnects from the Server . It is described in 7.7.6 . Update Certificates Workflow Once new CertificateGroups and CertificateTypes are added to the configuration it is possible ... Update Certificates workflow to populate the TrustLists and issue Certificates . If this step is skipped, any Endpoints that reference the CertificateGroups missing Certificates will not be enabled. An Endpoint that
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.1 TrustListType
  milliseconds (1 minute). The DefaultValidationOptions Property specifies the default options to use when validating Certificates with the TrustList . The TrustListValidationOptions DataType is defined in 7.8.2.10 . This Property may be updated
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.5 CloseAndUpdate
  TrustList . The Purpose of the associated CertificateGroup determines the validation rules for Certificates placed in the TrustList . For ApplicationCertificateType , the Server shall verify that every Certificate in the new TrustList ... have the rights required. Bad_CertificateInvalid The Server could not validate one or more Certificates in the TrustList . This may be returned after the first failed validation check. Bad_RequestTooLarge
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.6 AddCertificate
  issuer is not in the TrustList . This Method cannot provide CRLs so issuer Certificates cannot be added with this Method . Instead, CA Certificates and their CRLs shall be managed with
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.8 TrustListDataType
  defines the allowed values. TrustedCertificates ByteString[] The list of ApplicationInstance and CA Certificates which are trusted. TrustedCrls ByteString[] The CRLs for the Certificates in the TrustedCertificates list. IssuerCertificates ByteString ... list of CA Certificates which are necessary to validate Certificates . IssuerCrls ByteString[] The CRLs for the CA Certificates in the IssuerCertificates list. Its representation in the AddressSpace is defined
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.2.10 TrustListValidationOptions
  Ignore errors if the revocation list cannot be found for any issuer of issuer Certificates . CheckRevocationStatusOnline 5 Check the revocation status online. CheckRevocationStatusOffline 6 Check the revocation status offline ... Otherwise, validation fails. The revocation status flags only have meaning for issuer Certificates and are used when validating Certificates issued by that issuer. The default value for this DataType only
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.3.1 CertificateGroupType
  application. This ObjectType allows an application which has multiple TrustLists and/or ApplicationInstance Certificates to express them in its AddressSpace . A CertificateManager can have many CertificateGroups which manage CertificateTypes and TrustLists ... NodeId RsaSha256ApplicationCertificate (see 7.8.4.9 ) specified allows an OPC UA Application to have one ApplicationInstance Certificates for each type. If this list is empty then the CertificateGroup does not allow Certificates
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.3.2 GetRejectedList
  GetRejectedList GetRejectedList Method returns the list of Certificates that have been rejected by the Server . No rules are defined for how the Server updates this list or how long ... large enough to allow the entire list to be returned. Servers only add Certificates to this list that have no unsuppressed validation errors but are not trusted. For PullManagement , this
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.3.3 CertificateGroupFolderType
  access the default application TrustList and to define the CertificateTypes allowed for the Certificates used by the application when communicating with peers: For OPC UA Applications and CertificateManagers these CertificateTypes ... specify what is allowed for ApplicationInstance Certificates . They shall specify one or more subtypes of ApplicationCertificateType (see 7.8.4.2 ). For NonUaApplications, these CertificateTypes specify what is allowed for the NonUaApplications Certificates
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.3.4 CertificateGroupDataType
  Certificate is assigned to a deleted CertificateType . The DeleteCertificate Method is used to remove Certificates . The Purpose imposes restrictions on the allowed CertificateTypes . The update to the CertificateGroup is rejected ... example, if the Purpose is ApplicationCertificate Type then the CertificateGroup is used to specify Certificates used as ApplicationInstance Certificate . A NULL value is not valid. CertificateTypes 0:NodeId[] The list
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.3 HttpsCertificateType
  HttpsCertificateType This type is used to describe Certificates that are intended for use as HTTPS Certificates . This type is defined in Table 48 . Table 48 - HttpsCertificateType Definition Attribute Value BrowseName
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.4 UserCertificateType
  UserCertificateType This type is used to describe Certificates that are intended to identify users. This type is defined in Table 48 . Table 49 - UserCertificateType Definition Attribute Value BrowseName 0:UserCertificateType
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.5 TlsCertificateType
  TlsCertificateType This type is used to describe Certificates that are intended for use as TLS Certificates . This type is defined in Table 48 . Table 50 - TlsCertificateType Definition Attribute Value BrowseName
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.6 TlsServerCertificateType
  TlsServerCertificateType This type is used to describe a Certificates that is a TLS server Certificate . This type is defined in Table 51 . Table 51 - TlsServerCertificateType Definition Attribute Value BrowseName
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.7 TlsClientCertificateType
  TlsClientCertificateType This type is used to describe a Certificates that is a TLS client Certificate . This type is defined in Table 52 . Table 52 - TlsClientCertificateType Definition Attribute Value BrowseName
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.8 RsaMinApplicationCertificateType
  RsaMinApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an RSA key size of 1024 or 2048 bits. All Applications which support
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.9 RsaSha256ApplicationCertificateType
  RsaSha256ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an RSA key size of 2048, 3072 or 4096 bits. All Applications which
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.10 EccApplicationCertificateType
  EccApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC Public Key . Applications which support the ECC profiles
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.11 EccNistP256ApplicationCertificateType
  EccNistP256ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC nistP256 Public Key . Applications which support the ECC NIST P256 curve
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.12 EccNistP384ApplicationCertificateType
  EccNistP384ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC nistP384 Public Key . Applications which support the ECC NIST P384 curve
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.13 EccBrainpoolP256r1ApplicationCertificateType
  EccBrainpoolP256r1ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC brainpoolP256r1 Public Key . Applications which support the ECC brainpoolP256r1 curve profiles
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.14 EccBrainpoolP384r1ApplicationCertificateType
  EccBrainpoolP384r1ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC brainpoolP384r1 Public Key . Applications which support the ECC brainpoolP384r1 curve profiles
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.15 EccCurve25519ApplicationCertificateType
  EccCurve25519ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC curve25519 Public Key . Applications which support the ECC curve25519 curve profiles
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.4.16 EccCurve448ApplicationCertificateType
  EccCurve448ApplicationCertificateType This type is used to describe Certificates intended for use as an ApplicationInstanceCertificate . They shall have an ECC curve448 Public Key . Applications which support the ECC curve448 curve profiles
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.8.5.2 CloseAndUpdate
  state of the record does not allow the operation. For example, a CertificateGroup has Certificates assigned. Table 29 specifies the AddressSpace representation for the CloseAndUpdate Method . Table 63 - CloseAndUpdate Method
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.2 CertificateDirectoryType
  represent each as a CertificateGroupType Object organized by CertificateGroups Folder. Clients could then request Certificates issued by a specific CA by passing the appropriate NodeId to the StartSigningRequest or StartNewKeyPairRequest ... returns a list of NodeIds for CertificateGroupType Objects that can be used to request Certificates or TrustLists for an application. The GetCertificates Method returns a list of Certificates assigned
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.5 FinishRequest
  with it. This field is null if no private key was requested. IssuerCertificates The Certificates required to validate the new Certificate . This call passes the NodeId returned by a previous
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.6 RevokeCertificate
  TrustLists with the issuer Certificate shall be updated with the new CRL. Certificates assigned to an application are automatically revoked when the UnregisterApplication Method is called (see 6.5.8 ). This Method
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.8 GetCertificates
  GetCertificates The GetCertificates Method returns the Certificates assigned to the application and associated with the CertificateGroup . This Method shall be called from an authenticated SecureChannel and from a Client that ... Signature GetCertificates( [in] NodeId ApplicationId [in] NodeId CertificateGroupId [out] NodeId[] CertificateTypeIds [out] ByteString[] Certificates ); Argument Description ApplicationId The identifier assigned to the application by the GDS. CertificateGroupId An identifier
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.9.9 GetTrustList
  this Method . This TrustList includes any Certificate Revocation Lists (CRLs) associated with issuer Certificates in the TrustList . This Method shall be called from an authenticated SecureChannel and from a Client
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.2 Transaction Lifecycle
  started in Session all other Sessions will not be able to modify TrustLists or Certificates . Transactions are automatically cancelled when the Session that created it is closed or when
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.3 ServerConfigurationType
  application has access to hardware based secure storage for the PrivateKeys associated with its Certificates . If the SupportsTransactions Property is TRUE, the Server supports the transaction lifecyle defined ... currently assigned to a CertificateType in a CertificateGroup. The GetCertificates Method returns the Certificates assigned to each of the CertificateTypes in a CertificateGroup. The ApplyChanges Method is used complete changes
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.5 UpdateCertificate
  encoded Certificate which replaces the existing Certificate. IssuerCertificates A list of issuer Certificates used to verify the signature on the new Certificate . If the CertificateGroup Purpose is ApplicationCertificateType , this list
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.6 CreateSelfSignedCertificate
  specifies what the Certificate is used for. For example, a CertificateGroup that contains ApplicationInstance Certificates would only contain Certificates that are valid ApplicationInstance Certificates as defined
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.7 DeleteCertificate
  existing transaction or create a new transaction if a transaction does not exist. Certificates that are referenced by EndpointDescriptions shall not be deleted. This determination happens when ApplyChanges is called
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.8 GetCertificates
  GetCertificates The GetCertificates Method returns the Certificates assigned to CertificateTypes associated with a CertificateGroup . This Method shall be called from an authenticated SecureChannel and from a Client that has access ... SecurityAdmin Role (see 7.2 ). Signature GetCertificates( [in] NodeId CertificateGroupId [out] NodeId[] CertificateTypeIds [out] ByteString[] Certificates ); Argument Description CertificateGroupId The identifier for the CertificateGroup . CertificateTypeIds The CertificateTypes that currently have
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.11 CancelChanges
  Method is used to tell the Server to discard changes to the TrustLists or Certificates which were waiting for the Client to ApplyChanges . This Method shall be called from
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.12 GetRejectedList
  GetRejectedList GetRejectedList Method returns the list of Certificates that have been rejected by the Server . No rules are defined for how the Server updates this list or how long ... Client that has access to the SecurityAdmin Role (see 7.2 ). Signature GetRejectedList( [out] ByteString[] Certificates ); Argument Description Certificates The DER encoded form of the Certificates rejected by the Server. Method
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.19 ApplicationConfigurationDataType
  Type Description ApplicationConfigurationDataType Structure ApplicationIdentity 0:ApplicationIdentityDataType The application identity used to create new Certificates . CertificateGroups 0:CertificateGroupDataType [] The list CertificateGroups . ServerEndpoints 0:ServerEndpointDataType [] A list of Server Endpoints
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.21 ApplicationIdentityDataType
  serialize the ApplicationIdentity configuration . It is defined in Table 108 . The ApplicationIdentity affects Certificates , CertificateRequests and ApplicationDescriptions created by a Client or Server . When the ApplicationIdentity is changed, existing Certificates ... match the ApplicationUri in the Certificate . Applications shall continue to use the invalid Certificates which allows the configuration Client , which is aware of the mismatch, to complete the process needed
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.24 SecuritySettingsDataType
  Server Endpoint . It is defined in Table 114 . The CertificateGroup specifies one or more Certificates that are assigned to a Server . When generating EndpointDescriptions any SecurityPolicyUris (other than None ) that ... valid for one of the Certificates associated with the CertificateGroup are ignored. If a SecurityPolicyUri is valid for more than one Certificate in the CertificateGroup, then an EndpointDescription is generated
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.25 UserTokenSettingsDataType
  ActivateSession request. For X509 UserIdentityTokens this value shall specify the SecurityPolicy that matches the Certificates that the Server will accept. For other UserIdentityTokens this value shall specify the SecurityPolicy
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  7.10.27 CertificateUpdatedAuditEventType
  Object . No Event is raised if the Method call fails. If ApplyChanges affects multiple Certificates then this Event is raised for each changed Certificate . Its representation in the AddressSpace
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.1 Overview
  KeyCredentials are secrets that are directly passed to AuthorizationServices and/or Brokers and are not Certificates with private keys. Certificate distribution is managed by the Certificate management model described
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  8.6.7 UpdateCredential
  encrypt the secret. For RSA SecurityPolicies this shall be one of the ApplicationInstance Certificates assigned to the Server . For ECC or RSA-DH SecurityPolicies this field is not specified ... CertificateInvalid The Certificate is invalid or it is not one of the Server's Certificates . Bad_SecurityPolicyRejected The SecurityPolicy is unrecognized or not allowed. Bad_UserAccessDenied The current user does
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.6.9 GetServiceDescription
  Description ServiceUri A globally unique identifier for the AuthorizationService . ServiceCertificate The complete chain of Certificates used to to validate the AccessTokens provided by the AuthorizationService. UserTokenPolicies The UserIdentityTokens accepted
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  9.7.5 AuthorizationServiceConfigurationDataType
  UriString A URI uniquely identifies the AuthorizationService . ServiceCertificates 0:ServiceCertificateDataType[] A list of Certificates used by the AuthorizationService to verify AccessTokens . Certificate 0:ByteString The Certificate needed to verify AccessTokens ... AuthorizationService. Issuers 0:ByteString[] The Issuers needed to verify the Certificate. The Certificates appear in the array starting with the issuer of the Certificate. The CRLs are not part
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  F.1 Certificate Store Directory Layout
  Certificate Store Directory Layout A recommended directory layout for Applications that store their Certificates on a file system is shown in Table . The Local Discovery Server shall use this structure ... private keys used by the application. <root>/own/certs Contains the X.509 v3 Certificates associated with the private keys in the ./private directory. <root>/own/private Contains
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  G.1 Application Setup with PullManagement
  configuration shall know the location of the CertificateManager which they can use to request Certificates and download TrustLists . This location may be auto-discovered via mDNS by looking for Servers ... with the CertificateManager , the application needs to demonstrate that it has permission to request Certificates and TrustLists . This permission may be granted if the CertificateManager is pre-configured with
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  G.2 Application setup with the PushManagement
  Certificate and TrustList ; Set the configuration flag to OFF. Subsequent updates to TrustLists or Certificates can be allowed if the Client has a trusted Certificate and has access
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  H.1 Overview
  Enrolment over Secure Transport or EST) defines a mechanism for the distribution of Certificates to devices. This appendix summarizes the Capabilities provided by EST and how the same Capabilities
• OPC-10000-12 – OPC Unified Architecture - Part 12: Discovery and Global Services
  H.2 Obtaining CA Certificates
  Obtaining CA Certificates In EST a web operation returns the CA certificates. In OPC UA the CA Certificates are returned when the CertificateManager client reads the TrustList assigned ... clients verify a CertificateManager . Table H.1 - Verifying that a Server is allowed to Provide Certificates EST OPC UA Compare the URL for the EST server with the HTTPS certificate returned
• OPC-10000-14 – OPC Unified Architecture - Part 14: PubSub
  7.3.2.4.1 General
  channel which could have an impact on applications requiring a high level of determinism. Certificates are required for the DTLS Transport, and in order to manage these certificates the DTLS ... Transport requires the OPC UA GDS CertificateManager. Pull Management or Push Management of certificates shall be supported by any Publisher or Subscriber that supports the DTLS Transport (see Part
• OPC-10000-18 – OPC Unified Architecture - Part 18: Role-Based Security
  4.4.1 RoleType definition
  ApplicationsExclude Property is not provided or has a value of FALSE then only ApplicationInstance Certificates included in the Applications Property shall be included in this Role . All other ApplicationInstance Certificates ... this Role . If the ApplicationsExclude Property has a value of TRUE then all ApplicationInstance Certificates included in the Applications Property shall be excluded from this Role . All other ApplicationInstance Certificates
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  4.1 Device Lifecycle
  with other Applications running in the system. This process includes distributing TrustLists and issuing Certificates . Configuration The OwnerOperator performs tasks that are not done while the Device is in full
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  4.2.6 Roles and Privileges
  registration. DCA The Client is a DCA that has rights to request Certificates and TrustLists for Applications that it has been granted rights to. For a detailed description of Roles
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  4.3.2 Onboarding
  Device . The Registrar is responsible for determining if a DCA is authorized to request Certificates on behalf a specific Application . For example, the DCA rights may be limited to Applications
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  4.3.3 Application Setup
  step, the DCA is issued a Certificate that allows it to request or accept Certificates on behalf of any Application running on the Device . If the DCA is a Client ... connect to CertificateManager and request the additional Certificates and TrustLists without the need for additional approvals. If the DCA is a Server the CertificateManager can locate Applications within
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  5.1 Device Identity
  electronic reading (e.g. RFID, QR code, bar code, et. al.). The IDevID and LDevID Certificates shall conform to 802.1AR . The term DeviceIdentity Certificate is used to describe IDevID ... LDevID Certificates that meet the requirements of this document. The mechanisms for creating, installing, securing and revoking the IDevID and LDevID Certificates depend on the Manufacturer , however, Devices should provide
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  5.3 Composite Identity
  scenarios, the CompositeBuilder may treat the contained Composites as Devices and add additional LDevID Certificates that identify the Devices as a component of the container Composite . The additional LDevID Certificate ... each externally visible Device . This requires that additional Trust Lists be provided and new Certificates be issued to the Applications . CompositeBuilders may limit access to Applications running on the Devices
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  6.1 Tickets
  need a relationship with the Manufacturer of the Device to validate the Ticket . DeviceIdentity Certificates are typically signed with a chain ending in a root CA owned by the Manufacturer ... with a Certificate issued to the Manufacturer by a well-known root CA. Issuer Certificates for Certificates used to sign Tickets shall have the cRLDistributionPoints or authorityInfoAccess extensions defined
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  6.2 Ticket Distribution
  Devices have access to the Tickets and the CA that issued the signing Certificates . This usually requires a network connection that allows the revocation status to be checked. The Tickets ... system to check revocation lists. The OwnerOperator can also manage the issue of expiring Certificates by periodically re-validating and adding a new Signature before the previous Certificate that created
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  6.3 Authentication
  Registrar that detects new Devices added to the network, inspects their DeviceIdentity Certificates and finds the corresponding DeviceIdentityTicket . If a match was found the Device is accepted ... Device is first connected the DCA is configured to use any of its DeviceIdentity Certificates as its Application Instance Certificate . Note that DeviceIdentity Certificates will not have a DNS name
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  6.4 Acquiring and Validating Tickets
  from the Device during the authentication process. For this strategy to be secure the Certificates used to sign the Tickets are provided to the Registrar in advance by the RegistrarAdmin ... described completely in OPC 10000-4 , however, checks that are specific to Application Instance Certificates do not apply (e.g. the HostName and ApplicationUri checks). Trusted root CertificateAuthorities used to issue
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.1 Overview
  Devices they do not trust. The steps to determine trust are: Read all DeviceIdentity Certificates from the Device ; Locate a Ticket that has a ProductInstanceUri that matches one or more ... DeviceIdentity Certificates ; Validate the Ticket if it has not already been validated (see 6.4 ); Select and Validate DeviceIdentity Certificate that matches the Ticket ; Establish a secure connection to the Device
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.2 Pull Management
  Instance Certificate . Once connected to a Registrar the Device provides all of its DeviceIdentity Certificates to the Registrar which then attempts to locate a valid Ticket that matches ... Certificates . If a Composite Ticket that matches the Device ProductInstanceUri exists then only DeviceIdentity Certificates with the CompositeInstanceUri are considered by the Registrar . If no Ticket is found the Registrar
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.4.1 Overview
  OwnerOperator have a complete solution that manages the entire life cycle of the Certificates installed on the Device . In these cases, the onboarding mechanisms described in this specification ... responsibility of the alternate mechanism to issue and renew Application Instance Certificates to all Applications running on the Device and to maintain their Trust Lists . In other cases, the alternate
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  7.4.2.2 Integration with the Registrar
  preconfigured with the CA Certificate used by the FDO Owner to issue the Certificates to authenticated FDO Devices. The FDO Owner uses a FSIM (fdo.csr) that creates a new LDevID
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  8.2.4 CompositeIdentityTicketType
  compositeInstanceUri 0:UriString The ProductInstanceUri assigned to the Composite. This value appears in LDevID Certificates assigned to Devices by the CompositeBuilder (see 5.3 ). devices 0:UriString [] A list of ProductInstanceUris
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  8.2.6 CertificateAuthorityType
  CertificateAuthorityType The CertificateAuthorityType describes a Certificate Authority (CA) used to issue Certificates to Devices , Composites or to organizations that create Tickets . The fields of this DataType are defined in Table ... authorityCertificate 0:ByteString The DER encoded Certificate used to issue Certificates. issuerCertificates 0:ByteString [] The DER encoded form of the Issuer for the authorityCertificate. It should include the entire chain
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.2 DeviceRegistrarType
  with the Registrar . The Administration Object allows an administration Client to manage Tickets and Certificates received out of band that are needed for the automated registration process
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.3 ProvideIdentities
  called by a Device using PullManagement to provide the Registrar with its DeviceIdentity Certificates . The Registrar follows the process described in 7 to select and validate one of the Certificates ... NodeId applicationId, [out] 2:ManagerDescription softwareUpdateManager ); Argument Description identities The DER encoded DeviceIdentity Certificates issued to the Device . The first Certificates shall be the IDevID Certificates. issuers The DER encoded
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.8 RegisterManagedApplication
  needed in the CertificateManager and returns the ApplicationIds which are needed to request Certificates and TrustLists for the Application . The ProtocolUri is only specified when the Application does not support
• OPC-10000-21 – OPC Unified Architecture - Part 21: Device Onboarding
  9.2.10 DeviceRegistrarAdminType
  accepted using the Tickets . The TicketAuthorities Object allows an administration Client to manage the Certificates for authorities that sign Tickets . If a Device provides a Ticket, it is accepted automatically ... this list. The DeviceIdentityAuthorities Object allows an RegistrarAdmin manage the trusted DeviceIdentity Certificates . This list can contain individual DeviceIdentity Certificates that have a valid Ticket or it can contain