Allow dynamic update of client/server application certificate and key

Description

Implement a mechanism to allow dynamic update of client/server application certificate and key in configuration. All secure channels associated with previous certificate should be closed (see part 12 v1.05 §7.10.6):

[...] Server shall force existing SecureChannels affected by the changes to renegotiate and use the new Server Certificate [...]

Servers may close SecureChannels without discarding any Sessions or Subscriptions.

Implementation

Implement an event to close all current secure channels using previous certificate data. Add a thread safe API to allow application certificate and key update in configuration with concurrent accesses. And add a mandatory callback mechanism to close all current secure channels already using previous certificate, on server side the session is kept and might be associated to a new secure channel using the new certificate. Ensure OPC UA method call response is sent prior to closing the SC using it.

Edited Sep 20, 2023 by Vincent Monfort

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information