Phuong Nguyen
Member
Members
Forum Posts: 16
Member Since:
11/22/2018
11/22/2018
Offline
IMHO there seems to be an inconsistency in encoding of a chain of certificates in “OPC UA part 12 v1.04”
- “Section 7.5.5 AddCertificate” specifies a method of TrustList Type to allow a client to add a single certificate to a Trust List. It is there stated that “If the Certificate is issued by a CA then the Client shall provide the entire chain in the certificate argument”. In this case a chain of certificates is passed as a single ByteString to the method.
- “Section 7.7.4 UpdateCertificate” specifies a method of ServerConfiguration Type to allow a client to update a certificate to a server. This method accepts issuer certificates as an array of ByteString. These issuer certificates are needed for verification of the certificate to update and hence can also contain a chain of certificates e.g., in multi-level PKI.
My question here is what should be the expected way to encapsulate a chain of certificates from OPC UA’s perspective? A chain per single ByteString variant or by means of an array of ByteString variants? Or both of them are accepted?
Thanks!
Randy Armstrong
Admin
Forum Posts: 1579
Member Since:
05/30/2017
05/30/2017
Offline
Yes there are inconsistencies because some APIs were rewritten before the need for a chain was identified.
The specification allows a chain to be sent in any ByteString that contains a Certificate.
That said, with UpdateCertificate you should not want to do that since a separate issuers array is specified.
Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 44
Currently Browsing this Page:
1 Guest(s)
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1445
Posts: 4889