## 7.5.10 CertificateGroupType

This type is used for Objects which represent Certificate Groups in the AddressSpace. A Certificate Group is a context that contains a Trust List and one or more Certificates that can be assigned to an Application. This type exists to allow an Application which has multiple Trust Lists and/or Application Certificates to express them in its AddressSpace. This type is defined in Table 21.

Table 21 – CertificateGroupType Definition

Attribute Value
BrowseName CertificateGroupType
Namespace CORE (see 3.3)
IsAbstract False

Subtype of the BaseObjectType defined in OPC 10000-5.

References NodeClass BrowseName DataType TypeDefinition Modelling Rule

HasComponent Object TrustList - TrustListType Mandatory
HasProperty Variable CertificateTypes NodeId[] PropertyType Mandatory
HasComponent Object CertificateExpired   CertificateExpirationAlarmType Optional
HasComponent Object TrustListOutOfDate   TrustListOutOfDateAlarmType Optional
HasComponent Method GetRejectedList   See 7.5.10.1. Optional

The TrustList Object is the Trust List associated with the Certificate Group.

The CertificateTypes Property specifies the NodeIds of the CertificateTypes which may be assigned to Applications which belong to the Certificate Group. For example, a Certificate Group with the NodeId of RsaMinApplicationCertificateType (see 7.5.15) and the NodeId RsaSha256ApplicationCertificate (see 7.5.16) specified allows an Application to have one Application Instance Certificates for each type. Abstract base types may be used in this value and indicate that any subtype is allowed. If this list is empty then the Certificate Group does not allow Certificates to be assigned to Applications (i.e. the Certificate Group exists to allow the associated Trust List to be read or updated). All CertificateTypes for a given Certificate Group shall be subtypes of a single common type which shall be either ApplicationCertificateType or HttpsCertificateType.

The CertificateExpired Object is an Alarm which is raised when the Certificate associated with the CertificateGroup is about to expire. The CertificateExpirationAlarmType is defined in OPC 10000-9.

The TrustListOutOfDate Object is an Alarm which is raised when the Trust List has not been updated within the period specified by the UpdateFrequency (see 7.5.2). The TrustListOutOfDateAlarmType is defined in 7.5.9.

## 7.5.10.1 GetRejectedList

The GetRejectedList Method returns the list of Certificates that have been rejected by the Server when using the TrustList associated with the CertificateGroup. It can be used to track activity or allow administrators to move a rejected Certificate into the TrustList.

No rules are defined for how the Server updates this list or how long a Certificate is kept in the list. It is recommended that every valid but untrusted Certificate be added to the rejected list as long as storage is available. Servers should omit older entries from the list returned if the maximum message size is not large enough to allow the entire list to be returned.

This Method requires an encrypted channel and that the Client provides credentials with administrative rights on the Server.

Signature

GetRejectedList(
[out] ByteString[] certificates
);


Argument Description
certificates The DER encoded form of the Certificates rejected by the Server.

Method Result Codes (defined in Call Service)

Result Code Description
Bad_UserAccessDenied The current user does not have the rights required.
Bad_SecurityModeInsufficient The SecureChannel is not encrypted.

Table 21a specifies the AddressSpace representation for the GetRejectedList Method.

Table 21a – GetRejectedList Method AddressSpace Definition

Attribute Value
BrowseName GetRejectedList
References NodeClass BrowseName DataType TypeDefinition ModellingRule
HasProperty Variable OutputArguments Argument[] PropertyType Mandatory