... | ... | @@ -24,7 +24,7 @@ A default implementation of PKI provider is provided with S2OPC toolkit (see `cs |
|
|
The PKI verifies a certificate in the safest manner (whole certificate chain, with date validation, mandatory certificate revocation lists).
|
|
|
Certificate Authority (CA) requirements (such as the hash algorithm used for the signature) depend on the chosen OPC UA security policy.
|
|
|
|
|
|
There are 4 types of certificates to provide to the PKI:
|
|
|
There are 3 types of certificates to provide to the PKI:
|
|
|
* The "trusted issuers" are Certificate Authorities (CAs) from which issued certificates are also trusted. All the certificates of the signing chain including the root CA must be provided.
|
|
|
* The "issued certificates" are certificates issued by untrusted CA. These certificates are considered themselves trustworthy (if the certificate properties and its signature are both valid).
|
|
|
* The "untrusted issuers" are CAs which are used to verify the signing chain of the "issued certificates". Each issued certificate must have its whole signing CA chain in the untrusted issuers or the trusted issuers up to the root CA.
|
... | ... | |