Azure
/
azure-iiot-opc-vault-service
зеркало из https://github.com/Azure/azure-iiot-opc-vault-service.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Doc updates (#39) 

* fix typos and add page on user / cert management
This commit is contained in:
Martin Regen 2019-02-22 16:23:02 +01:00 коммит произвёл GitHub
Родитель deb74c6270
Коммит a6569c6aa6
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
8 изменённых файлов: 176 добавлений и 63 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

41
README.md
Просмотреть файл

@ -4,9 +4,21 @@
The certificate management service for OPC UA includes the **OPC Vault Microservice** to implement the CA certificate cloud service, a ASP.Net Core **Sample Certificate Management Web Application** front end and a **OPC Vault Edge Module** to implement a OPC UA GDS server for local connectivity.
#### A detailed overview of the OPC UA Certificate Management Service is [here](docs/opcvault-services-overview.md).
## Documentation
### This repository contains the following:
### [OPC UA Certificate Management Service Overview](docs/opcvault-services-overview.md)
### [How to run a Secure Certificate Service](docs/howto-secureca-services.md)
### [How to Build and Deploy the service to Azure](docs/howto-deploy-services.md)
### [How to get signed certificates with the Web Sample Application](docs/howto-use-cert-services.md)
### [How to manage the Certificate Service](docs/howto-manage-cert-services.md)
### [How to Build, Run and Debug the services locally](docs/howto-develop-locally.md)
## This repository contains the following:
This repo contains all components required to run a CA in the Azure cloud for your OPC UA environment:
@ -16,7 +28,14 @@ This repo contains all components required to run a CA in the Azure cloud for yo
A Powershell deployment script automatically builds and deploys the services to your subscription. By default, security is configured for a production system.
[![Build status](https://msazure.visualstudio.com/One/_apis/build/status/Custom/Azure_IOT/Industrial/Components/ci-azure-iiot-opc-vault-service)](https://msazure.visualstudio.com/One/_build/latest?definitionId=44197)
### Build status
Due to security considerations, build logs are not publicly available.
| Branch | Status |
| ------ | ------------------------------------------------------------ |
| master | [![Build status](https://msazure.visualstudio.com/One/_apis/build/status/Custom/Azure_IOT/Industrial/Components/ci-azure-iiot-opc-vault-service)](https://msazure.visualstudio.com/One/_build/latest?definitionId=44197) |
## Features
### OPC Vault Microservice Features
- Production ready certificate microservice based on C# with ASP.Net Core 2.1.
@ -45,9 +64,9 @@ A Powershell deployment script automatically builds and deploys the services to
- Upload CSR for signing requests as file or base64 PEM format.
- Binary and base64 download of certificates and keys as PFX, PEM and DER.
- Issues consolidated CRL updates for multiple unregistered applications in a single step, e.g. for weekly updates.
- Accesses the OPC Vault microservice on behalf of the user to be able to execute protected functions in Azure Key Vault (e.g. signing rights for Approver).
- Accesses the OPC Vault microservice on behalf of the user to be able to execute protected functions in Azure Key Vault (e.g. signing permissions for Approver, create certificate for Administrator).
### On premise OPC Vault Edge Module as OPC UA Global Discovery Server (GDS) with cloud integration
### On premises OPC Vault Edge Module as OPC UA Global Discovery Server (GDS) with cloud integration
- Based on the GDS server common library of the [OPC UA .NetStandard][opc-netstandard] Nuget packages.
- Implements the OPC UA Discovery and Certificate Management profile by connecting to the OPC Vault microservice.
- Executes in a docker container or as a .Net Core 2.0 application on Windows or Linux.
@ -56,18 +75,6 @@ A Powershell deployment script automatically builds and deploys the services to
**Known limitations:** At this time the GDS can only act in a reader role with limited functionality due to the lack of user OAuth2 authentication support in the OPC UA .NetStandard SDK. For development purposes and testing, the Azure AD registration can be enabled for a 'Writer' role to allow to create certificate requests and to update applications,
but this configuration is not recommended for use in production deployments.
## Documentation
### [OPC UA Certificate Management Service Overview](docs/opcvault-services-overview.md)
### [How to Build and Deploy the service to Azure](docs/howto-deploy-services.md)
### [How to Build, Run and Debug the services locally](docs/howto-develop-locally.md)
### [How to Manage certificates with the Web Sample Application](docs/howto-use-cert-services.md)
### [How to run a Secure Certificate Service](docs/howto-secureca-services.md)
## Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a

2
azure-iiot-opc-vault-service.sln
Просмотреть файл

@ -30,6 +30,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docs", "docs", "{E9C6A792-1
ProjectSection(SolutionItems) = preProject
CONTRIBUTING.md = CONTRIBUTING.md
docs\howto-deploy-services.md = docs\howto-deploy-services.md
docs\howto-develop-locally.md = docs\howto-develop-locally.md
docs\howto-manage-cert-services.md = docs\howto-manage-cert-services.md
docs\howto-secureca-services.md = docs\howto-secureca-services.md
docs\howto-use-cert-services.md = docs\howto-use-cert-services.md
docs\opcvault-services-overview.md = docs\opcvault-services-overview.md

6
docs/howto-deploy-services.md
Просмотреть файл

@ -1,6 +1,6 @@
# Azure Industrial IoT Services
## Build and Deploy the OPC UA Certificate Management Service and dependencies
# Build and Deploy the OPC UA Certificate Management Service and dependencies
This article explains how to deploy the OPC UA Certificate Management Service in Azure.
@ -57,7 +57,7 @@ To start the local dotnet GDS server:
```
In case you run into issues please follow the steps [below](#Troubleshooting-deployment-failures).
8. Open your favorite browser and open the application page: `https://myResourceGroup-app.azurewebsites.net`
8. Open your favorite browser and open the application page: `https://myResourceGroup.azurewebsites.net`
8. Give the web app and the OPC Vault microservice a few minutes to warm up after deployment. The web home page may hang on first use for up to a minute until you get the first responses.
11. To take a look at the Swagger Api open: `https://myResourceGroup-service.azurewebsites.net`
13. To start a local GDS server with dotnet start `.\myResourceGroup-gds.cmd` or with docker start `.\myResourceGroup-dockergds.cmd`.
@ -94,7 +94,7 @@ Other names of services are built by the combination of short name hashes and ar
### Azure Active Directory (AAD) Registration
The deployment script tries to register 3 AAD applications in Azure Active Directory.
Depending on your rights to the selected AAD tenant, this operation might fail. There are 2 options:
Depending on your permissions in the selected AAD tenant, this operation might fail. There are 2 options:
1. If you chose a AAD tenant from a list of tenants, restart the script and choose a different one from the list.
2. Alternatively, deploy a private AAD tenant in another subscription, restart the script and select to use it.

29
docs/howto-develop-locally.md
Просмотреть файл

@ -1,6 +1,6 @@
# Azure Industrial IoT Services
## How to build, run and debug the services locally.
# How to build, run and debug the services locally.
@ -14,7 +14,7 @@ All the tools you need for .Net Standard come with the .Net Core tools. See [her
1. [Install .NET Core 2.1+][dotnet-install].
2. [Install Docker][docker-url] (optional, only if the local OPC Vault Edge module docker container is required).
3. Install Visual Studio 2017 with support for C# and ASP.NET Core.
3. [Install Visual Studio 2017][vs-install-url] with support for C# and ASP.NET Core.
### Clone the repository
@ -49,7 +49,7 @@ During deployment, the user who deploys the service is added with read access to
### Configure the OPC Vault microservice
To configure the microservice locally, create a copy of `appsettings.json` in the `/src` project folder and call it `appsettings.development.json`. The configuration values then need to be filled in the template. The values are found in the Azure portal within the Azure AD application configuration for the microservice and the application.<br>For simplicity, the configuration values are also saved during deployment in a file called: `resourcegroupname-service.appsettings.Development.json`. The configuration values can be either copied and pasted one by one or the file itself can be copied to the `/src` folder and be renamed to `appsettings.Development.json`.
To configure the microservice locally, create a copy of `appsettings.json` in the `/src` project folder and call it `appsettings.Development.json`. The configuration values then need to be filled in the template. The values are found in the Azure portal within the Azure AD application configuration for the microservice and the application.<br>For simplicity, the configuration values are also saved during deployment in a file called: `resourcegroupname-service.appsettings.Development.json`. The configuration values can be either copied and pasted one by one or the file itself can be copied to the `/src` folder and be renamed to `appsettings.Development.json`.
### Configure the Web Sample Application
@ -62,14 +62,14 @@ The OPC Vault edge module uses a different configuration mechanism than the ASP.
The startup batch files with the module configurations are created during deployment. In addition, the `/deploy` folder contains a `resourcegroup.module.config` file which contains the command line parameters needed to start the module in Visual Studio. Copy the following command line parameters from the config file:
```
--vault="https://resourcegroup-service.azurewebsites.net"
--resource="1234d010-0345-0201-1234-3dc9008ddea0"
--clientid="1234b294-738b-0102-1234-2d3cdd49b307"
--secret="1234JjxLw3g2Av70+TWfE9PQfj56787DNC51Kbrr+uY="
--tenantid="12341234-5678-431c-8b2e-1234f2121da5"
--vault="url of the microservice"
--resource="app id guid of the microservice"
--clientid="app id guid of the module"
--secret="app secret of the module"
--tenantid="tenant id guid of the microservice"
```
(sample id Values above are only placeholders)
(sample id values must be real guids, urls and secrets)
Right click the project and select `Properties`, then `Debug`. Paste the arguments in the `Application Arguments` field. This will start the OPC Vault edge module with correct parameters to connect to the cloud service. To connect to the OPC Vault microservice running locally replace the `--vault` parameter with the service address at the localhost as below <br>`--vault="http://localhost:58801`.
@ -77,7 +77,7 @@ Right click the project and select `Properties`, then `Debug`. Paste the argumen
Steps using Visual Studio 2017:
1. Open the solution using `azure-iiot-opc-vault-service.sln`.
1. Open the solution using `azure-iiot-opc-vault-service.sln`. *Note: `azure-iiot-opc-vault-service-develop.sln` allows to debug with source instead of nuget packages of the azure-iiot-solutions and the OPC UA.NetStandard stack.*
2. When the solution is loaded, right click on the solution node,
select `Properties` and go to the `Startup Project` section.
3. Choose `Multiple Startup Projects`. The OPC Vault microservice project `...Services.Vault` is always required. The application project `...Services.Vault.App` and/or the OPC Vault edge module `...Modules.Vault` are optional to debug the application and the edge module. Set projects to `Start` for debugging.
@ -98,8 +98,7 @@ To deploy the services for each from Visual Studio:
6. Depending on the selected project, navigate to the `/deploy` folder and chose the matching `yourresourcegroup.publishsettings` file for the app or `yourresourcegroup-service.publishsettings` for the microservice and import it.
7. Now the app or the microservice can be deployed with a right click on `Publish`.
1.
[docker-url]: https://www.docker.com/
[dotnet-install]: https://www.microsoft.com/net/learn/get-started
[vs-install-url]: https://www.visualstudio.com/downloads
[dotnetcore-tools-url]: https://www.microsoft.com/net/core#windowsvs2017

114
docs/howto-manage-cert-services.md Normal file
Просмотреть файл

@ -0,0 +1,114 @@
# Azure Industrial IoT Services
# How to manage the OPC UA Certificate Service
This article explains the administrative tasks for the OPC UA Certificate Management Service in Azure, how to renew Issuer CA certificates, how to renew the CRL and how to grant and revoke user access.
## Create or renew the root CA certificate
This is a mandatory step after deployment. Without a valid Issuer CA certificate no application certificates can be signed and issued.<br>Please refer to chapter about [Certificate Lifetimes](howto-use-cert-services.md##Certificates) to manage your certificates with reasonable, secure lifetimes.
An Issuer CA certificate should typically be renewed after half of its lifetime, but no later than before the configured lifetime of a newly signed application certificate would exceed the lifetime of the Issuer certificate.<br>
**Important Note:** The 'Administrator' role is required to create or renew the Issuer CA certificate.
1. Open your certificate service at `https://myResourceGroup-app.azurewebsites.net` and login.
2. Navigate to the `Certificate Groups` page.
3. There is one `Default` Certificate Group listed. Click on `Edit`.
4. In `Edit Certificate Group Details` you can modify the Subject Name and Lifetime of your CA and application certificates.<br>The subject and the lifetimes should only be set once before the first CA certificate is issued. Lifetime changes during operations may result in inconsistent lifetimes of issued certificates and CRLs.
5. Enter a valid Subject in the valid, e.g. `CN=My CA Root, O=MyCompany, OU=MyDepartment`.<br>
**Important Note:** Changing the subject requires to renew the Issuer certificate, or the service will fail to sign application certificates. The subject of the configuration is sanity checked against the subject of the active Issuer certificate. If the subjects do not match, certificate signing is refused.
6. Click on the `Save` button.
7. If you hit a 'forbidden' error at this point, your user credentials do not have the administrator permission to modify or create a new root cert. By default, the user who deployed the service has administrator and signing roles with the service, other users need to be added to the 'Approver', 'Writer' or 'Administrator' roles as appropriate in the AzureAD application registration.
8. Click on the `Details` button. The `View Certificate Group Details` should display the updated information.
9. Click on the `Renew CA Certificate` button to issue the first Issuer CA certificate or to renew the Issuer certificate. Press `Ok` to proceed.
10. After a few seconds the `Certificate Details` are shown. Press `Issuer` or `Crl` to download the latest CA certificate and CRL for distribution to your OPC UA applications.
11. Now the OPC UA Certificate Management Service is ready to issue certificates for OPC UA applications.
## Renew the CRL
Renewal of the Certificate Revocation List (CRL) is an update which should be distributed to the applications at regular intervals. OPC UA devices, which support the CRL Distribution Point X509 extension, can directly update the CRL from the microservice endpoint. Other OPC UA devices may require manual updates or in the best case, can be updated using GDS server push extensions (*) to update the trust lists with the certificates and CRLs.
In the following workflow all certificate requests in the deleted state are revoked in the CRLs which correspond to the Issuer CA certificate they were issued for. The version number of the CRL is incremented by 1. <br>
*Note: All issued CRL are valid until the expiry of the Issuer CA certificate, because the OPC UA specification does not require a mandatory, deterministic distribution model for CRL.*
**Important Note:** The 'Administrator' role is required to renew the Issuer CRL.
1. Open your certificate service at `https://myResourceGroup.azurewebsites.net` and login.
2. Navigate to the `Certificate Groups` page.
3. Click on the `Details` button. The `View Certificate Group Details` should display the current certificate and CRL information.
4. Click on the `Update CRL Revocation List(CRL)` button to issue an updated CRL for all active Issuer certificates in the OPC Vault storage.
5. After a few seconds the `Certificate Details` are shown. Press `Issuer` or `Crl` to download the latest CA certificate and CRL for distribution to your OPC UA applications.
## Manage User Roles
User roles for the OPC Vault microservice are managed in the Azure Active Directory Enterprise Application.
For a detailed description of the role definitions please refer to the [Roles](howto-secureca-services.md##Roles) section.
By default, a authenticated user in the tenant can sign in the service as a 'Reader'. Higher priviledged roles require manual management in the Azure portal or using Powershell.
### Add User
1. Open the Azure Portal at `portal.azure.com`.
2. Navigate to `Azure Active Directory`/`Enterprise applications`.
3. Choose the registration of the OPC Vault microservice, by default your `resourceGroupName-service`.
4. Navigate to `Users and Groups`.
5. Click on `Add User`.
6. Select or invite the user for assignment to a specific role.
7. Select the role for the users.
8. Press the `Assign` button.
9. For users in `Administrator` or `Approver` role, continue to add Azure Key Vault access policies.
### Remove User
1. Open the Azure Portal at `portal.azure.com`.
2. Navigate to `Azure Active Directory`/`Enterprise applications`.
3. Choose the registration of the OPC Vault microservice, by default your `resourceGroupName-service`.
4. Navigate to `Users and Groups`.
5. Select a user with a role to remove.
6. Press the `Remove` button.
7. Remove removed Administrators and Approvers also from Azure Key Vault policies.
### Add User Access Policy to Azure Key Vault
Additional access policies are required for **Approvers** and **Administrators**.
By default, the service identity has only limited permissions to access Key Vault to prevent elevated operations or changes to take place without user impersonation. The basic service permissions are `Get` and `List` for both secrets and certificates. For secrets there is only one exception, the service can `Delete` a private key from the secret store once accepted by a user. All other operations require user impersonated permissions.<br>
#### For an **Approver role** the following permissions must be added to Key Vault:
1. Open the Azure Portal at `portal.azure.com`.
2. Navigate to your OPC Vault `resourceGroupName`used during deployment.
3. Navigate to the Key Vault `resourceGroupName-xxxxx`.
4. Navigate to the `Access Policies`.
5. Click on `Add new`.
6. Skip the template, there is no template which matches requirements.
7. Click on `Select Principal` and select the user to be added or invite a new user to the tenant.
8. Check `Key permissions`: `Get`, `List` and most importantly `Sign`.
9. Check `Secret permissions`: `Get`, `List`, `Set` and `Delete`.
10. Check `Certificate permissions`: `Get`and `List`.
11. Click `Ok`.
12. `Save`changes.
#### For an **Administrator role** the following permissions must be added to Key Vault:
1. Open the Azure Portal at `portal.azure.com`.
2. Navigate to your OPC Vault `resourceGroupName`used during deployment.
3. Navigate to the Key Vault `resourceGroupName-xxxxx`.
4. Navigate to the `Access Policies`.
5. Click on `Add new`.
6. Skip the template, there is no template which matches requirements.
7. Click on `Select Principal` and select the user to be added or invite a new user to the tenant.
8. Check `Key permissions`: `Get`, `List` and most importantly `Sign`.
9. Check `Secret permissions`: `Get`, `List`, `Set` and `Delete`.
10. Check `Certificate permissions`: `Get`, `List`, `Update`, `Create` and`Import`.
11. Click `Ok`.
12. `Save`changes.
### Remove User Access Policy from Azure Key Vault
1. Open the Azure Portal at `portal.azure.com`.
2. Navigate to your OPC Vault `resourceGroupName`used during deployment.
3. Navigate to the Key Vault `resourceGroupName-xxxxx`.
4. Navigate to the `Access Policies`.
5. Find the user to remove and click on `... / Delete` to delete user access.

18
docs/howto-secureca-services.md
Просмотреть файл

@ -1,3 +1,5 @@
# Azure Industrial IoT Services
# How to run the Certificate Management Service securely
This article explains how to manage the OPC UA Certificate Management Service securely in Azure and other guidelines to consider.
@ -14,20 +16,20 @@ This task requires manual assignment of roles and services in the Azure AD Enter
### Certificate Management Service Roles
The service defines the following roles:
The microservice defines the following roles:
- **Reader**: By default any authenticated user in the tenant has read access.
- Read access to applications and certificate requests. Can list and query for applications and certificate requests. Also device discovery information and public certificates are accessible with read access.
- **Writer**: The writer role is assigned to a user to add write permissions for certain tasks.
- **Writer**: The Writer role is assigned to a user to add write permissions for certain tasks.
- Read/Write access to applications and certificate requests. Can register, update and unregister applications. Can create certificate requests and obtain approved private keys and certificates. Can also delete private keys.
- **Approver**: The approver role is assigned to a user to approve or reject certificate requests. The role does not include any other role.
- In addition to the Approver role to access the OPC Vault microservice Api the user must also have signing rights in Key Vault to be able to sign the certificates.
- **Approver**: The Approver role is assigned to a user to approve or reject certificate requests. The role does not include any other role.
- In addition to the Approver role to access the OPC Vault microservice Api the user must also have the key signing permission in Key Vault to be able to sign the certificates.
- The Writer and Approver role should be assigned to different users.
- The main role of the Approver is the Approval of the generation and rejection of certificate requests.
- **Administrator**: The administrator role is assigned to a user to manage the certificate groups. The role does not support the Approver role, but includes the Writer role.
- **Administrator**: The Administrator role is assigned to a user to manage the certificate groups. The role does not support the Approver role, but includes the Writer role.
- The administrator can manage the certificate groups, change the configuration and revoke application certificates by issueing a new CRL.
- Ideally, Writer, Approver and Administrator role are assigned to different users. For additional security, a user with Approver or Administrator role needs also Key Signing rights in KeyVault to issue certificates or to renew an Issuer CA certificate.
- In addition to the service role, the role includes also but is not limited to:
- Ideally, Writer, Approver and Administrator roles are assigned to different users. For additional security, a user with Approver or Administrator role needs also key signing permission in KeyVault to issue certificates or to renew an Issuer CA certificate.
- In addition to the microservice role, the role includes also but is not limited to:
- Responsible for administering the implementation of the CAs security practices.
- Management of the generation, revocation, and suspension of certificates.
- Cryptographic key life cycle management (e.g. the renewal of the Issuer CA keys).
@ -213,7 +215,7 @@ The OPC Vault microservice SOP is described in the [Overview](opcvault-services-
### Document and maintain standard operational PKI practices for certificate revocation
The certificate revokation process is described in the [Overview](opcvault-services-overview.md) and the [How to use](howto-use-cert-services.md) documents.
The certificate revokation process is described in the [Overview](opcvault-services-overview.md) and the [How to manage](howto-manage-cert-services.md) documents.
### Document Certification Authority key generation ceremony

25
docs/howto-use-cert-services.md
Просмотреть файл

@ -1,8 +1,8 @@
# Azure Industrial IoT Services
## How to use the Azure Industrial IoT OPC UA Certificate Management Service
# How to use the OPC UA Certificate Management Service
This article explains how to manage the OPC UA Certificate Management Service in Azure, how to register applications and how to issue signed application certificates for your OPC UA devices.
This article explains how to register applications and how to issue signed application certificates for your OPC UA devices.
## Prerequisites
@ -11,22 +11,11 @@ This article explains how to manage the OPC UA Certificate Management Service in
First of all, the service needs to be deployed to the Azure cloud.
Please find an article describing how to deploy the Certificate Management Service [here](howto-deploy-services.md).
### Create the root CA certificate
### Create the Issuer CA certificate
This is a mandatory step after deployment. Without a valid Issuer CA certificate no application certificates can be signed and issued.<br>
**Important Note:** The 'Administrator' role is required to create or renew the Issuer CA certificate.
If you have not done so yet, create the Issuer CA certificate.
1. Open your certificate service at `https://myResourceGroup-app.azurewebsites.net` and login.
2. Navigate to the `Certificate Groups` page.
3. There is one `Default` Certificate Group listed. Click on `Edit`.
4. In `Edit Certificate Group Details` you can modify the Subject Name and Lifetime of your CA and application certificates.
5. Enter a valid Subject in the valid, e.g. `CN=My CA Root, O=MyCompany, OU=MyDepartment`.
6. Click on the `Save` button.
7. If you hit a 'forbidden' error at this point, the user you are logged in with doesn't have the rights to modify or create a new root cert. By default the user who deployed the service has management and signing roles with the service, other users need to be added to the 'Approver', 'Writer' or 'Administrator' roles as appropriate in the AzureAD application registration.
8. Click on the `Details` button. The `View Certificate Group Details` should display the updated information.
9. Click on the `Renew CA Certificate` button to issue your first root CA certificate. Press `Ok` to proceed.
10. After a few seconds the `Certificate Details` are shown. Press `Issuer` or `Crl` to download the latest CA certificate and CRL for distribution to your OPC UA applications.
11. Now the OPC UA Certificate Management Service is ready to issue certificates for OPC UA applications.
Please find an article describing how to create and manage the Issuer certificate [here](howto-manage-cert-services.md).
## Secure OPC UA applications
@ -68,7 +57,7 @@ In general, the CSR method is recommended, because it doesn't require a private
![Approve Certificate](ApproveReject.png "Approve Certificate")
5. The approval step requires a user with 'Approver' role and with signing rights in Azure Key Vault. In the typical workflow the Approver and Requester role should be assigned to different users.
5. The approval step requires a user with 'Approver' role and with signing permissions in Azure Key Vault. In the typical workflow the Approver and Requester role should be assigned to different users.
6. Approve or Reject the certificate request to start or cancel the actual creation of the key pair and the signing operation. The new key pair is created and stored securely in Azure Key Vault until downloaded by the certificate requester. The resulting certificate with public key is signed by the CA. These operations may take a few seconds to finish.
![View Key Pair](ViewKeyPair.png "View Key Pair")
@ -93,7 +82,7 @@ In general, the CSR method is recommended, because it doesn't require a private
![Approve CSR](ApproveRejectCSR.png "Approve CSR")
5. The approval step requires a user with 'Approver' role and with signing rights in Azure Key Vault. Approve or Reject the certificate request to start or cancel the actual signing operation. The resulting certificate with public key is signed by the CA. This operation may take a few seconds to finish.
5. The approval step requires a user with 'Approver' role and with signing permissions in Azure Key Vault. Approve or Reject the certificate request to start or cancel the actual signing operation. The resulting certificate with public key is signed by the CA. This operation may take a few seconds to finish.
![View Certificate](ViewCertCSR.png "View Certificate")

4
docs/opcvault-services-overview.md
Просмотреть файл

@ -40,7 +40,7 @@ OPC Vault provides a microservice to host a company specific CA in a secure
cloud, backed by Azure AD secured services with Azure Key Vault with HSM,
Cosmos DB and optionally also IoT Hub as application store.
The OPC Vault micro service is designed to support role based workflow where OT
The OPC Vault microservice is designed to support role based workflow where OT
personal requests signed application certificates and where security
administrators and approvers with signing rights in Azure Key Vault
approve or reject these requests.
@ -118,7 +118,7 @@ execute as a local .Net Core application or can be started in a docker image.
Due to a lack of Auth2 authentication support in the current OPC UA .Net Standard stack,
the functionality of the OPC Vault edge module is limited to a Reader role, because a user cannot be
impersonated from the edge module to the micro service using the OPC UA GDS standard interface.
Only operations which do not require the Write, Manage or Sign role are permitted at this point[(*)](#Yet-Unsupported-features).
Only operations which do not require the Writer, Administrator or Approver role are permitted at this point[(*)](#Yet-Unsupported-features).
## Yet Unsupported features