7.10.5 UpdateCertificate
UpdateCertificate is used to update a Certificate.
There are the following two use cases for this Method:
The PrivateKey is already known to the Server (i.e. it was created with the CreateSigningRequest (see 7.10.10) or CreateSelfSignedCertificate (see 7.10.6) Method).
The PrivateKey was created outside the Server and is updated with this Method.
The Purpose of the associated CertificateGroup determines the validation rules for Certificate being updated. For ApplicationCertificateType, the Server shall verify the Certificate using the validation process defined in OPC 10000-4. All suppressible errors shall be ignored; however, they may be logged as warnings. If the validation fails, the appropriate StatusCode defined in OPC 10000-4 shall be reported. The validation process requires that the TrustList associated with the CertificateGroup already contains the IssuerCertificates. Revocation checks may be done with CRLs in the TrustList or using online CRL checks.
For Purposes other than ApplicationCertificateType, the validation rules are not defined by this specification.
This Method may be called within the context of an ApplicationConfiguration Object (see 7.10.14) which means the Certificate may be used by a Client or a non-OPC UA application.
The Server shall report an error if the PublicKey does not match the existing Certificate and the PrivateKey was not provided.
If a transaction is in progress (see 7.10.9) on another Session then the Server shall return Bad_TransactionPending.
If the SecureChannel is not authenticated the Server shall return Bad_SecurityModeInsufficient.
If the Server returns ApplyChangesRequired=FALSE then it is indicating that it is able to satisfy the requirements specified for the ApplyChanges Method.
This Method shall be called from an encrypted SecureChannel and from a Client that has access to the SecurityAdmin Role (see 7.2).
Signature
UpdateCertificate(
[in] NodeId CertificateGroupId
[in] NodeId CertificateTypeId
[in] ByteString Certificate
[in] ByteString[] IssuerCertificates
[in] String PrivateKeyFormat
[in] ByteString PrivateKey
[out] Boolean ApplyChangesRequired
);| Argument | Description |
| CertificateGroupId | The NodeId of the CertificateGroup Object which is affected by the update. If null the DefaultApplicationGroup is used. |
| CertificateTypeId | The type of Certificate being updated. The set of permitted types is specified by the CertificateTypes Property belonging to the CertificateGroup. |
| Certificate | The DER encoded Certificate which replaces the existing Certificate. |
| IssuerCertificates | A list of issuer Certificates used to verify the signature on the new Certificate. If the CertificateGroup Purpose is ApplicationCertificateType, this list is redundant because the IssuerCertificates are already required to be in the associated TrustList, therefore the Server shall ignore this list. |
| PrivateKeyFormat | The format of the Private Key (PKCS #12 encoded and PKCS #8 Base64 encoded DER (see RFC 5958). If the PrivateKey is not specified the PrivateKeyFormat is null or empty. |
| PrivateKey | The Private Key encoded in the PrivateKeyFormat. |
| ApplyChangesRequired | Indicates that the ApplyChanges Method shall be called before the new Certificate will be used. |
Method Result Codes (defined in Call Service)
| Result Code | Description |
| Bad_InvalidArgument | The CertificateTypeId or CertificateGroupId is not valid. |
| Bad_CertificateInvalid | The Certificate is invalid or the format is not supported. |
| Bad_NotSupported | The PrivateKey is invalid or the format is not supported. |
| Bad_UserAccessDenied | The current user does not have the rights required. |
| Bad_SecurityChecksFailed | Some failure occurred verifying the integrity of the Certificate. |
| Bad_TransactionPending | There is already a transaction active for another session. |
| Bad_SecurityModeInsufficient | The SecureChannel is not encrypted. |
Table 89 specifies the AddressSpace representation for the UpdateCertificate Method.
| Attribute | Value | ||||
| BrowseName | 0:UpdateCertificate | ||||
| References | NodeClass | BrowseName | DataType | TypeDefinition | ModellingRule |
|---|---|---|---|---|---|
| HasProperty | Variable | InputArguments | Argument[] | PropertyType | Mandatory |
| HasProperty | Variable | OutputArguments | Argument[] | PropertyType | Mandatory |