<Reprovisioning after OPC UA Server Certificate Revocation>

[charlesaugustineabb]

Type of issue

• [ ] Bug
• [ ] Enhancement
• [ ] Compliance
• [X] Question
• [ ] Help wanted

Current Behavior

How to invoke Re-Provisioning , Once OPC UA Server certificates are revoked. On the OPC UA server, generate a new public-private key pair. this generation need to be done by use case :1 either Same UA Server it self or Administrative component which is having the access to this key pair? is it make sense to you ? or some other suggestions? use case 2; in above usecase how the UA Server will be aware its own certificate is revoked? please share your thoughts on above both

Expected Behavior

No response

Steps To Reproduce

No response

Environment

- OS:
- Environment:
- Runtime:
- Nuget Version:
- Component:
- Server:
- Client:

Anything else?

No response

[ThomasNehring]

Hello charlesaugustineabb,

a self-signed certificate cannot be revoked. Only a certificate signed by a CA or intermediate CA can be revoked, and the revocation list has to be signed by the CA which has signed the certificate. How to replace a revoked certificate depends on how you have set up your PKI. The server can create a new key pair and then a signing request which has to be send to a CA for signing (the CA does not need to know the private key, only the public one), or you can delegate certificate creation entirely to the CA and then transfer the certificate to the server (in this case the private key will be known to the entity which creates it, of course - some people think that this is bad and should not be done this way).

Whether the server knows that it needs a new certificate depends on whether the server does verify it's own certificate and includes a CRL check. Since one common use case is using the Microsoft Certificate store for the application certificate, and since this, until recently, did not support CRL checks, the server would not get to know it's revocation in this scenario. (For other scenarios (Linux, Mac, or Windows with file based certificate store) I -- or you -- have to check the source code whether the server verifies it's own certificates).

[charlesaugustineabb]

Hello @ThomasNehring

in my case i have GDS and CA to sign the certificates of my applications. i would like to know foundation's Server SDK/framework gives any of below feature 1) if Servers own certificate is Revoked , Servers SDK/framework can create new key pair or self signed after deleting existing signed certificate(its own which is revoked) , with a external request or with out. if not, i may need to think to implement same in Server specific code.

[charlesaugustineabb]

Hello @ThomasNehring I think the OPC UA Server must have a method,  something like ResetCertificate (an administrative component might call this method; in my case, I have a UA client in GDS, normally used to push certificates). ResetCertificate Method will delete the current key pair (no matter whether CA-signed or self-signed) and create a new self-certificate on the server. So the administrative component  can call push-related methods again to push the new CA-signed certificate. 

ResetCertificate method Can be called when a server's certificate is revoked.

don't you think so? or any different thoughts?

[romanett]

@charlesaugustineabb You can utilize the existing methods from the Application Instance: https://github.com/OPCFoundation/UA-.NETStandard/blob/7b68ff7a0401685732e5c84b92fd22f492cf12f5/Libraries/Opc.Ua.Configuration/ApplicationInstance.cs#L424

https://github.com/OPCFoundation/UA-.NETStandard/blob/7b68ff7a0401685732e5c84b92fd22f492cf12f5/Libraries/Opc.Ua.Configuration/ApplicationInstance.cs#L437

Please reopen if those do not fulfill your needs