6 Message SecurityProtocols ToC Previous Next

6.2 Certificates ToC Previous Next

6.2.2 Application Instance Certificate ToC Previous Next

An Application Instance Certificate is a ByteString containing the DER encoded form (see X690) of an X.509 v3 Certificate. This Certificate is issued by certifying authority and identifies an instance of an application running on a single host. The X.509 v3 fields contained in an Application Instance Certificate are described in Table 43. The fields are defined completely in RFC 5280.

Table 43 also provides a mapping from the RFC 5280 terms to the terms used in the abstract definition of an Application Instance Certificate defined in OPC 10000-4.

Table 43 – Application Instance Certificate

Name OPC 10000-4 Parameter Name Description
Application Instance Certificate   An X.509 v3 Certificate.
   version    version shall be “V3”
   serialNumber    serialNumber The serial number assigned by the issuer.
   signatureAlgorithm    signatureAlgorithm The algorithm used to sign the Certificate.
   signature    signature The signature created by the Issuer.
   issuer    issuer    The distinguished name of the Certificate used to create the signature.The issuer field is completely described in RFC 5280.
   validity    validTo, validFrom When the Certificate becomes valid and when it expires.
   subject    subject    The distinguished name of the application Instance.   The Common Name attribute shall be specified and should be the productName or a suitable equivalent. The Organization Name attribute shall be the name of the Organization that executes the application instance. This organization is usually not the vendor of the application.   Other attributes may be specified.The subject field is completely described in RFC 5280.
   subjectAltName       applicationUri,   hostnames    The alternate names for the application Instance.   Shall include a uniformResourceIdentifier which is equal to the applicationUri. The URI shall be a valid URL (see RFC 3986) or a valid URN (see RFC 8141).   Servers   shall specify a partial or a fully qualified dNSName or a static IPAddress which identifies the machine where the application Instance runs. Additional dNSNames may be specified if the machine has multiple names. The subjectAltName field is completely described in RFC 5280.
   publicKey    publicKey The public key associated with the Certificate.
   keyUsage    keyUsage    Specifies how the Certificate key may be used.   For RSA keys, the keyUsage shall include digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment. For ECC keys, the keyUsage shall include digitalSignature. Other keyUsage bits are allowed but not recommended.Self-signed Certificates shall also include keyCertSign.
   extendedKeyUsage    keyUsage    Specifies additional limits on how the Certificate key may be used.   For RSA keys, the extendedKeyUsage shall specify serverAuth and/or clientAuth. For ECC keys, the extendedKeyUsage may specify serverAuth and/or clientAuth.Other extendedKeyUsage bits are allowed.
   authorityKeyIdentifier (No mapping) Provides more information about the key used to sign the Certificate. It shall be specified for Certificates signed by a CA. It should be specified for self-signed Certificates.
   basicConstraints (No mapping)    The basicConstraints field is completely described in RFC 5280.   The cA flag Identifies whether the subject of the Certificate is a CA The pathLength specifies the maximum depth of valid chains that include this Certificate.   The cA flag shall be FALSE for ApplicationInstance Certificates issued by a CA.   The cA flag should be FALSE for self-signed Certificates, however, TRUE shall be accepted to ensure backward interoperability.If the CA flag is TRUE for self-signed ApplicationInstance Certificates, then the pathLength shall be 0.

Previous Next