Annex F (normative) Local Discovery Server ToC Previous Next

F.1 Certificate Store Directory Layout ToC Previous Next

A recommended directory layout for Applications that store their Certificates on a file system is shown in Table 74. The Local Discovery Server shall use this structure.

This structure is based on the rules defined in OPC 10000-6.

Table 74 – Application Certificate Store Directory Layout

Path Description
<root> A descriptive name for the trust list.
   
<root>/own The Certificate store which contains private keys used by the application.
<root>/own/certs Contains the X.509 v3 Certificates associated with the private keys in the ./private directory.
<root>/own/private Contains the private keys used by the application.
   
<root>/trusted The Certificate store which contains trusted Certificates.
<root>/trusted/certs Contains the X.509 v3 Certificates which are trusted.
<root>/trusted/crl Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
   
<root>/issuer The Certificate store which contains the CA Certificates needed for validation.
<root>/issuer/certs Contains the X.509 v3 Certificates which are needed for validation.
<root>/issuer/crl Contains the X.509 v3 CRLs for any Certificates in the ./certs directory.
   
<root>/rejected The Certificate store which contains certificates which have been rejected.
<root>/rejected/certs Contains the X.509 v3 Certificates which have been rejected.

All X.509 v3 certificates are stored in DER format and have a ‘.der’ extension on the file name.

All CRLs are stored in DER format and have a ‘.crl’ extension on the file name.

Private keys should be in PKCS #12 format with a ‘.pfx’ extension or in the OpenSSL PEM format. The OpenSSL PEM format is not formally defined and should only be used by applications which use the OpenSSL libraries to implement security. Other private key formats may exist.

The base name of the Private Key file shall be the same as the base file name for the matching Certificate file stored in the ./certs directory.

A recommended naming convention is:

<CommonName> [<Thumbprint>].(der pem pfx)

Where the CommonName is the CommonName of the Certificate and the Thumbprint is the SHA1 hash of the certificate formatted as a hexadecimal string.

Previous Next