<Reprovisioning after OPC UA Server Certificate Revocation> about ua-.netstandard HOT 4 OPEN

Hello charlesaugustineabb,

a self-signed certificate cannot be revoked. Only a certificate signed by a CA or intermediate CA can be revoked, and the revocation list has to be signed by the CA which has signed the certificate.
How to replace a revoked certificate depends on how you have set up your PKI. The server can create a new key pair and then a signing request which has to be send to a CA for signing (the CA does not need to know the private key, only the public one), or you can delegate certificate creation entirely to the CA and then transfer the certificate to the server (in this case the private key will be known to the entity which creates it, of course - some people think that this is bad and should not be done this way).

Whether the server knows that it needs a new certificate depends on whether the server does verify it's own certificate and includes a CRL check. Since one common use case is using the Microsoft Certificate store for the application certificate, and since this, until recently, did not support CRL checks, the server would not get to know it's revocation in this scenario. (For other scenarios (Linux, Mac, or Windows with file based certificate store) I -- or you -- have to check the source code whether the server verifies it's own certificates).

from ua-.netstandard.

Hello @ThomasNehring

in my case i have GDS and CA to sign the certificates of my applications.
i would like to know foundation's Server SDK/framework gives any of below feature

1. if Servers own certificate is Revoked , Servers SDK/framework can create new key pair or self signed after deleting existing signed certificate(its own which is revoked) , with a external request or with out.
   if not, i may need to think to implement same in Server specific code.

from ua-.netstandard.