6.8 Cryptographic Keys

Security Profiles listed in Part 7 describe required algorithms and required key lengths. Key length requirements are often specified as a set, i.e., 2048, 3072, 4096 bits. It is important that an OPC UA Application supports the entire set of values for its ApplicationInstanceCertificate. This allows an end user to generate a key (ApplicationInstanceCertificate) that meets their security requirements. This often extends the period of time for which the given Security profile can be used. For example, key lengths of 2048 can already be considered insecure, but if an end user generates certificates for the high end of the set (4096), the application could still be considered secure (depending on the other algorithms).