PullManagementis performed by using the CertificateManagerinformation model, in particular the Methods defined in 7.9. The interactions between Applicationand CertificateManagerduring PullManagementare illustrated in Figure 14.


Figure 14– The Pull Management Model for Certificates

The Application Administration component may be part of the Clientor Serveror a standalone utility that understands how the application persists its configuration information in its Configuration Database.

A similar process is used to renew certificates or to periodically update Trust List.

Security in PullManagementrequires an encrypted channel and authorized credentials. These credentials may be user credentials for a CertificateAuthorityAdmin or application credentials determined by the Certificateused to create the SecureChannel. Examples of the application credentials include Certificatespreviously issued to the application being accessed, Device Certificatesissued by the Registrardefined in OPC 10000-21or Certificatesisssued to an application with accesss to the ApplicationAdmin Privilege(see 6.2).