12/06/2021
OPC 10000-6 6.2.2 states that the application instance certificate shall have a keyUsage that includes digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment, as well as extendedKeyUsage specifying serverAuth.
OPC 10000-4 6.1.2 states that the server shall allow administrators to replace the application instance certificate with a certificate that meets their requirements.
Do the keyUsage restrictions apply to certificates that the user provides? i.e. should the server prevent the user from installing an application certificate without the keyUsage and extendedKeyUsage parameters?
05/30/2017
See https://reference.opcfoundatio…..rt6/6.2.2/
for requirements.
If you do not enforce these requirements when the certificate is updated the user could experience failures when connecting with a peer that checks for these bits.
05/30/2017
Not including keyUsage and extendedKeyUsage parameter will cause endless IOP headaches so if you want to reduce your support costs you will enforce it at upload notwithstanding any compliance requirements.
The wording in the specification “meets their requirements” does not imply that servers have to support upload of certificates that are not compliant with the specification.
The compliance tests focus on ensuring applications inter operate so they will fail applications that do not have compliant certificates. They will not check if applications allow the user to specify invalid certificates in configuration.
1 Guest(s)