Certificate and Key Issues in Encryption Examples

[Hrathen23]

I tried using the server and client examples of encryption, but they didn't work. In theory, I need to create my own certificates with OpenSSL and the example in the repository. However, I don't understand how they work. In the server, you add a user to a certificate named "peer-certificate-example-1.der" and then load the certificate and private key called "certificate-example" and "private-key-example", respectively. In the client, to connect, I need to use the first certificate and the key "peer-certificate-example-1" and then add the server's certificate "certificate-example" in "set_security".

I think the client needs a certificate with a key ("peer-certificate-example-1") and the server needs another one ("certificate-example/private-key-example"), and then they need to read each other's certificates. However, I don't understand whether I need to do something specific for the client and something else for the server, or just make two copies of the same certificate but with different names.

I've tried making my own certificates and keys, but nothing seems to work. I also don't know if in the server when I set the "name" it's something from the certificate or I can write anything and when I create the certificate I don't know if in "subjectAltName = " I need to write the server endpoint "opc.tcp://localhost:4840/freeopcua/server/".

[AndreasHeine]

you need to distinguish between transport security (e.g. Sign&Encrypt) and UserAuth via Certificates (peer-certificate)

each OPC UA Application needs a own x509v3 Instance-Certificate with the subjectAltName-Extension! (and a private-key of course)
the OPC UA Applications name/uri must match the name/uri in the Certificate (some OPC UA Products check if they match)

[Hrathen23]

So I need to make 2 certificates with the private-key one for the server and the other one for the client and in the subjectAltName field I need to write the same uri that I'm using in the codes, right?

[AndreasHeine]

ClientCert + ClientKey
ServerCert + ServerKey

[Hrathen23]

Ok, I will try and see if it works. Thank you.

[Sm1Ling]

They never reply whether it worked...