Does application certificate keyUsage restriction apply to user defined certificates|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Does application certificate keyUsage restriction apply to user defined certificates
Avatar
EG
Member
Members
Forum Posts: 35
Member Since:
12/06/2021
sp_UserOfflineSmall Offline
1
10/05/2022 - 12:38
sp_Permalink sp_Print

OPC 10000-6 6.2.2 states that the application instance certificate shall have a keyUsage that includes digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment, as well as extendedKeyUsage specifying serverAuth.

OPC 10000-4 6.1.2 states that the server shall allow administrators to replace the application instance certificate with a certificate that meets their requirements.

Do the keyUsage restrictions apply to certificates that the user provides? i.e. should the server prevent the user from installing an application certificate without the keyUsage and extendedKeyUsage parameters?

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
2
10/05/2022 - 16:54
sp_Permalink sp_Print

See https://reference.opcfoundatio…..rt6/6.2.2/

for requirements.

If you do not enforce these requirements when the certificate is updated the user could experience failures when connecting with a peer that checks for these bits.

Avatar
EG
Member
Members
Forum Posts: 35
Member Since:
12/06/2021
sp_UserOfflineSmall Offline
3
10/05/2022 - 23:01
sp_Permalink sp_Print

From a compliance point of view, which clause takes priority? Allowing the user to upload a certificate that meets their requirements, or enforcing the key usage?

Avatar
Randy Armstrong
Admin
Forum Posts: 1578
Member Since:
05/30/2017
sp_UserOfflineSmall Offline
4
10/06/2022 - 04:48
sp_Permalink sp_Print

Not including keyUsage and extendedKeyUsage parameter will cause endless IOP headaches so if you want to reduce your support costs you will enforce it at upload notwithstanding any compliance requirements.

The wording in the specification “meets their requirements” does not imply that servers have to support upload of certificates that are not compliant with the specification.

The compliance tests focus on ensuring applications inter operate so they will fail applications that do not have compliant certificates. They will not check if applications allow the user to specify invalid certificates in configuration.

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 42
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1444
Posts: 4887