OPC Studio User's Guide and Reference
OPC UA Certificate Types
A certificate type describes the purpose of a certificate, possibly together with the crucial defining parameters of the cryptography algorithm used by the certificate. The certificate types form a hierarchy (a tree), using the inheritance concept. Certificate types are defined in the OPC UA specification; custom certificate types can also be defined, but that is not common.
For example, the OPC UA specification defines an ApplicationCertificateType (for OPC UA application instance certificates), with subtypes like RsaMinApplicationCertificateType (for application certificates using RSA with key size of 1024 or 2048 bits), RsaSha256ApplicationCertificateType (for application certificates using RSA with key size of 2048, 3072 or 4096 bits), and EccApplicationCertificateType (for application instance certificates with an ECC public key). The EccApplicationCertificateType has further subtypes such as EccNistP256ApplicationCertificateType and more.
The static UACertificateTypeIds Class contains properties that contain the standard certificate type Ids. These can be used as certificate type Id arguments with method calls that need them.
In order to provide wide interoperability, an application may have multiple certificates available, with different certificate types. When establishing a connection, a match is found between the capabilities (certificate types) of the server and the client. By default, applications developed with OPC Studio enable all certificate types that are supported.
It is not uncommon for an application to have many certificates. For example, in a typical case, there might be a RSA certificate, and then 4 certificates using different ECC curves.
When performing certificate-related operations, such creating a self-signed certificate, removing certificate, or obtaining a certificate from the GDS, it is possible to work with single certificate of the specified certificate type. However, it is not quite practical when multiple certificates need to be handled. For this reason, OPC Studio introduces a concept of certificate pack, which is a set of certificates with different certificate types, grouped together for a single purpose. For example, a certificate pack might be used to provide OPC UA application instance certificates, and contain an RSA certificate and multiple ECC certificates. For most certificate-related tasks, OPC Studio provides operations that can work on a certificate pack instead of just on a single certificate. This makes it easy to perform common tasks on certificates needed by the application at once, without having to iterate over the certificate of different types and perform the operation repeatedly.
Whether the operation works on a single certificate, or on a certificate pack, is consistently reflected in the operation name (method name in the API). There are also operations that can work on either a single certificate or on a certificate pack, depending on a parameter. The naming convention is as follows:
When the operation can work either on a single certificate or certificate pack, the distinction is made by a certificate type Id parameter (of type UANodeId), which is passed either directly to the method as one of its arguments, or is a property of the object that is an argument to the method. For example, the ProtectOrUnprotectOwnCertificateOrCertificatePack Method has a certificateTypeId argument; the ObtainNewCertificateOrCertificatePack Method has a UAObtainCertificateArguments argument which contains a CertificateTypeId Property for this purpose.
What the operation will actually do depends on the certificate type Id parameter as follows:
Note that a null reference for the certificate type Id has a meaning that is different from UANodeId.Null.