Part 21 describes the lifecycle of a device starting at the manufacturer, where it gets an IDevID certificate with the manufacturer as subject.
Later, during Application Setup, the OPC UA Applications get Application Instance Certificates where I expect to see the OwnerOperator as the Organization part of the subject in the certificate.
What I do not understand is where does the Organizaiton, Location... attributes come from and how do they get into the CSR of the server?
Is this also covered by the spec or is it vendor specific?
The subject names are always left up to implementer.
The subjectAltNames have URIs which are required by the specification.
For IDevID the subjectAltName shall contain an URI issued by the manufacturer. This is used to correlate a Certificate with a Ticket that was obtained OOB.
For Application Instance Certificate the subjectAltName shall contain a URI issued by the OwnerOperator (or auto-generated by the product when it is installed). It is used to identify the Application in the network.
Hi Randy, thanks for the quich answer.
I understand that the subject with Organization and Location... is left to the implementer.
But as an implementer I have no idea where to get the required information from.
Do I understand that correctly:
During Application Setup phase the Application Instance Certificate is created for the OwnerOperator by the CertificateManager.
This Cert contains a subject for the OwnerOperator (Organization, Location...)
The device does not know the OwnerOperator until that time. Only the CertificateManager might know the OwnerOperator.
To create the Cert, the server of the device creates a CSR.
This CSR contains all the information that shall get into the certificate.
Now my problem: How does the server know about the OwnerOperator for the CSR.
Or can the CertificateManager add / change the information of the CSR when creating the Cert?
The only thing I could imagine is an additional configuration step in the Application Setup phase where the device is informed about the details for the certificate.
Or do I overlook something?
OPC UA applications are experted to allow OwnerOperators to configure the information that goes into the CSR using application specific mechanisms (i.e. a configuration file). i.e. from the .NETStandard Reference Server:
<!-- Where the application instance certificate is stored--> <ApplicationCertificate> <StoreType>Directory</StoreType> <StorePath>%CommonApplicationData%\OPC Foundation\pki\own</StorePath> <SubjectName>CN=Quickstart Reference Server, C=US, S=Arizona, O=OPC Foundation, DC=localhost</SubjectName> </ApplicationCertificate>
The SubjectName is used to create the CSR.
Ok, I understand. This is how it is working today.
But with the new Onboarding feature we want to bring the device into the network using OPC UA without any manual configuration.
Let's assume we could do all the remaining provisioning using OPC UA (either with a standard or custom information model).
Then setting the Subject of the Application Instance Certificate to the OwnerOperator is the only thing left that the user has do manually before he can access the OPC UA Server (Remember: the OwnerOperator might not be known at an earlier stage).
I think this is something we should add to part 21. What is your oppinion?
There are use cases we did not fully define with the GDS and Onboarding. At the time it was assumed the GDS could assign any ApplicationUri to a application when it issues a Certificate but that only works if the GDS is also the CA.
We need to explain exactly how ApplicationUris can be automatically assigned by a GDS.