Device Onboarding - Hardware protected DeviceIdentity Certificates|OPC UA Standard|Forum|OPC Foundation

Hello,

We're looking into the OPC UA 10000-21 part for device onboarding and are discussing how to understand some of the writings on the usage of DeviceIdentity certificates (IDevID or LDevID).

It seems quite clear that the expectation is that the DeviceIdentity certificate will be used as an application instance certificate for the DCA during the initial provisioning phase, i.e., before the registrar push new site-specific app.instance certificates to the DCA and the applications it can configure. From 7.3 Push Management:

"Each of the DeviceIdentity Certificates is returned in EndpointDescriptions returned by GetEndpoints." .. "If the Registrar finds an EndpointDescription that matches a valid Ticket it will create a new SecureChannel using that EndpointDescription."

It is also quite clear that the DeviceIdentity cert shall be hardware protected, e.g., using a TPM to store the private key of the DeviceIdentity certificate. From 5.1 Device Identity:

"... Devices should provide a SecureElement storage (for an example, see ISO/IEC 11889) to ensure the associated Private Keys cannot be copied off the Device."

All fine and dandy, but:

• This will put some specific requirements on the clients expectations on the certificate on first use, as the DeviceIdentity cert will not be an app.instance certificate, e.g., no DNSname or IPAddress to validate. No big issue maybe - the Registrar is a specific application which could be coded to handle this.
• It will require the DCA to be able to create secure channels using a certificate w. private key stored in TPM (or similar secure element storage). This is a bigger issue, as we have so far not found any of the available stacks supporting app.instance certificates w. key stored in secure storage. 

Are we understanding the specification right?

Anyone knows of support for part 21 in upcoming stack releases?

Best,

Björn