Question About CertificateExpirationAlarmType|OPC UA Standard|Forum|OPC Foundation

Avatar
Search
Forum Scope


Match



Forum Options



Minimum search word length is 3 characters - maximum search word length is 84 characters
Lost password?
sp_Feed sp_PrintTopic sp_TopicIcon
Question About CertificateExpirationAlarmType
Avatar
Adam Wu
Member
Members
Forum Posts: 5
Member Since:
06/17/2024
sp_UserOfflineSmall Offline
1
01/19/2025 - 18:53
sp_Permalink sp_Print

Hello

I have two questions about CertificateExpirationAlarmType

CertificateExpirationAlarmType has Certificate,CertificateType,ExpirationDate,ExpirationLimit fields.

1. In CertificateExpirationAlarm,Server puts clients certificate to inputNode and updates to Certificate field after client connected to Server?

2. if client connects to Server,and clients certificate is going to expire in less than 2 weeks,sever should emit CertificateExpirationAlarm,but how client handles CertificateExpirationAlarm? Does client needs to close connection,then get a new certificate,then connects to Server?

Testing this Alarm with CTT,For test-case 2 and 3 and 4,CTT will require Server to use different Certificate for Test,first one for is going to expired,second one is already within expired,last one for already expired.

Thanks

Avatar
Paul Hunkar
Member
Members
Forum Posts: 28
Member Since:
07/05/2017
sp_UserOfflineSmall Offline
2
01/21/2025 - 20:28
sp_Permalink sp_Print

The purpose of this alarm is to indicate that the Servers own certificate is about to expire or has already expired.  It is not about a client that is connecting to the Server.  A Server might have more then one Certificate, it might have an Application instance certificate or a User Certificate, both of which have expiration dates.  This alarm is raised  when the certificate is nearing this date.  The ExpirationLimit indicates how near to the ExpirationDate, if ExpirationLimit is not provided then a default of 2 weeks is used. 

For example, if the Server’s Application Instance certificate will expire January 28, 2025 and the the ExpirationLimit was set to 2 weeks, then on January 14, 2025, the server will raise the Alarm.  It will stay active until the Server Application instance certificate is updated.  This Alarm is used to remind the end User that his server will need a new Application Instance certificate soon.  If the Application instance certificate is not updated before the expiration time, clients might no longer be able to connect to the Server (the Server has an expired certificate).

The testing for this alarm on the Server can be accomplished by loading a certificate that will expire on to the server, it can also be tested by manipulating the time on the system.  Typically this would be tested overnight, certificate loaded is not withing expiration window, but will be next morning, in the morning the alarm should be active.   Time can also be manipulated to push the server into the future where the certificate would be near expiring.

Paul

Forum Timezone: America/Phoenix
Most Users Ever Online: 510
Currently Online:
Guest(s) 33
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Forum Stats:
Groups: 2
Forums: 10
Topics: 1450
Posts: 4909