OPCFoundation
diff --git a/‎Libraries/Opc.Ua.Client/ReverseConnectManager.cs‎
Lines changed: 8 additions & 2 deletions b/‎Libraries/Opc.Ua.Client/ReverseConnectManager.cs‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎Libraries/Opc.Ua.Client/Session/Session.cs‎
Lines changed: 16 additions & 27 deletions b/‎Libraries/Opc.Ua.Client/Session/Session.cs‎
Lines changed: 16 additions & 27 deletions
diff --git a/‎Libraries/Opc.Ua.Configuration/ApplicationInstance.cs‎
Lines changed: 39 additions & 21 deletions b/‎Libraries/Opc.Ua.Configuration/ApplicationInstance.cs‎
Lines changed: 39 additions & 21 deletions
diff --git a/‎Libraries/Opc.Ua.Gds.Client.Common/CertificateWrapper.cs‎
Lines changed: 2 additions & 1 deletion b/‎Libraries/Opc.Ua.Gds.Client.Common/CertificateWrapper.cs‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎Libraries/Opc.Ua.Security.Certificates/Extensions/X509SubjectAltNameExtension.cs‎
Lines changed: 23 additions & 4 deletions b/‎Libraries/Opc.Ua.Security.Certificates/Extensions/X509SubjectAltNameExtension.cs‎
Lines changed: 23 additions & 4 deletions
diff --git a/‎Libraries/Opc.Ua.Server/Configuration/ConfigurationNodeManager.cs‎
Lines changed: 2 additions & 2 deletions b/‎Libraries/Opc.Ua.Server/Configuration/ConfigurationNodeManager.cs‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎Libraries/Opc.Ua.Server/Server/StandardServer.cs‎
Lines changed: 18 additions & 22 deletions b/‎Libraries/Opc.Ua.Server/Server/StandardServer.cs‎
Lines changed: 18 additions & 22 deletions
diff --git a/‎Stack/Opc.Ua.Core/Schema/ApplicationConfiguration.cs‎
Lines changed: 38 additions & 13 deletions b/‎Stack/Opc.Ua.Core/Schema/ApplicationConfiguration.cs‎
Lines changed: 38 additions & 13 deletions
@@ -153,15 +153,21 @@ public Registration(
             }
 
             /// <summary>
-            /// Register with the server certificate.
+            /// Register with the server certificate to extract the application Uri.
             /// </summary>
+            /// <remarks>
+            /// The first Uri in the subject alternate name field is considered the application Uri.
+            /// </remarks>
+            /// <param name="serverCertificate">The server certificate with the application Uri.</param>
+            /// <param name="endpointUrl">The endpoint Url of the server.</param>
+            /// <param name="onConnectionWaiting">The connection to use.</param>
             public Registration(
                 X509Certificate2 serverCertificate,
                 Uri endpointUrl,
                 EventHandler<ConnectionWaitingEventArgs> onConnectionWaiting)
                 : this(endpointUrl, onConnectionWaiting)
             {
-                ServerUri = X509Utils.GetApplicationUriFromCertificate(serverCertificate);
+                ServerUri = X509Utils.GetApplicationUrisFromCertificate(serverCertificate).FirstOrDefault();
             }
 
             private Registration(
 
@@ -1707,8 +1707,6 @@ public async Task OpenAsync(
 
                 if (requireEncryption)
                 {
-                    // validation skipped until IOP isses are resolved.
-                    // ValidateServerCertificateApplicationUri(serverCertificate);
                     if (checkDomain)
                     {
                         await m_configuration
@@ -1836,6 +1834,8 @@ await m_configuration
 
                 ValidateServerEndpoints(serverEndpoints);
 
+                ValidateServerCertificateApplicationUri(serverCertificate, m_endpoint);
+
                 ValidateServerSignature(
                     serverCertificate,
                     serverSignature,
@@ -6351,31 +6351,6 @@ private void OpenValidateIdentity(
             }
         }
 
-#if UNUSED
-        /// <summary>
-        /// Validates the ServerCertificate ApplicationUri to match the ApplicationUri of the Endpoint
-        /// for an open call (Spec Part 4 5.4.1)
-        /// </summary>
-        private void ValidateServerCertificateApplicationUri(X509Certificate2 serverCertificate)
-        {
-            string applicationUri = m_endpoint?.Description?.Server?.ApplicationUri;
-            //check is only neccessary if the ApplicatioUri is specified for the Endpoint
-            if (string.IsNullOrEmpty(applicationUri))
-            {
-                throw ServiceResultException.Create(
-                    StatusCodes.BadSecurityChecksFailed,
-                    "No ApplicationUri is specified for the server in the EndpointDescription.");
-            }
-            string certificateApplicationUri = X509Utils.GetApplicationUriFromCertificate(serverCertificate);
-            if (!string.Equals(certificateApplicationUri, applicationUri, StringComparison.Ordinal))
-            {
-                throw ServiceResultException.Create(
-                    StatusCodes.BadSecurityChecksFailed,
-                    "Server did not return a Certificate matching the ApplicationUri specified in the EndpointDescription.");
-            }
-        }
-#endif
-
         private void BuildCertificateData(
             out byte[] clientCertificateData,
             out byte[] clientCertificateChainData)
@@ -6488,6 +6463,20 @@ private void ValidateServerSignature(
             }
         }
 
+        /// <summary>
+        /// Validates the ServerCertificate ApplicationUri to match the ApplicationUri
+        /// of the Endpoint (Spec Part 4 5.4.1) returned by the CreateSessionResponse.
+        /// Ensure the endpoint was matched in <see cref="ValidateServerEndpoints"/>
+        /// with the applicationUri of the server description before the validation.
+        /// </summary>
+        private void ValidateServerCertificateApplicationUri(X509Certificate2 serverCertificate, ConfiguredEndpoint endpoint)
+        {
+            if (serverCertificate != null)
+            {
+                m_configuration.CertificateValidator.ValidateApplicationUri(serverCertificate, endpoint);
+            }
+        }
+
         /// <summary>
         /// Validates the server endpoints returned.
         /// </summary>
 
@@ -358,11 +358,16 @@ public async ValueTask<bool> CheckApplicationInstanceCertificatesAsync(
                     "Need at least one Application Certificate.");
             }
 
+            // Note: The FindAsync method searches certificates in this order: thumbprint, subjectName, then applicationUri.
+            // When SubjectName or Thumbprint is specified, certificates may be loaded even if their ApplicationUri
+            // doesn't match ApplicationConfiguration.ApplicationUri, however each certificate is validated individually
+            // in CheckApplicationInstanceCertificateAsync (called via CheckOrCreateCertificateAsync) to ensure it contains 
+            // the configuration's ApplicationUri.
             bool result = true;
             foreach (CertificateIdentifier certId in securityConfiguration.ApplicationCertificates)
             {
                 ushort minimumKeySize = certId.GetMinKeySize(securityConfiguration);
-                bool nextResult = await CheckCertificateTypeAsync(
+                bool nextResult = await CheckOrCreateCertificateAsync(
                         certId,
                         silent,
                         minimumKeySize,
@@ -376,10 +381,14 @@ public async ValueTask<bool> CheckApplicationInstanceCertificatesAsync(
         }
 
         /// <summary>
-        /// Check certificate type
+        /// Checks, validates, and optionally creates an application certificate.
+        /// Loads the certificate, validates it against configured requirements (ApplicationUri, key size, domains),
+        /// and creates a new certificate if none exists and auto-creation is enabled.
+        /// Note: FindAsync searches certificates in order: thumbprint, subjectName, applicationUri.
+        /// The applicationUri parameter is only used if thumbprint and subjectName don't find a match.
         /// </summary>
         /// <exception cref="ServiceResultException"></exception>
-        private async Task<bool> CheckCertificateTypeAsync(
+        private async Task<bool> CheckOrCreateCertificateAsync(
             CertificateIdentifier id,
             bool silent,
             ushort minimumKeySize,
@@ -402,7 +411,7 @@ private async Task<bool> CheckCertificateTypeAsync(
             await id.LoadPrivateKeyExAsync(passwordProvider, configuration.ApplicationUri, m_telemetry, ct)
                 .ConfigureAwait(false);
 
-            // load the certificate
+            // load the certificate 
             X509Certificate2 certificate = await id.FindAsync(
                 true,
                 configuration.ApplicationUri,
@@ -738,28 +747,37 @@ await configuration
                 return false;
             }
 
-            // check uri.
-            string applicationUri = X509Utils.GetApplicationUriFromCertificate(certificate);
-
-            if (string.IsNullOrEmpty(applicationUri))
+            // Validate that the certificate contains the configuration's ApplicationUri
+            if (!X509Utils.CompareApplicationUriWithCertificate(certificate, configuration.ApplicationUri, out var certificateUris))
             {
-                const string message =
-                    "The Application URI could not be read from the certificate. Use certificate anyway?";
-                if (!await ApproveMessageAsync(message, silent).ConfigureAwait(false))
+                if (certificateUris.Count == 0)
                 {
-                    return false;
+                    const string message =
+                        "The Application URI could not be found in the certificate. Use certificate anyway?";
+                    if (!await ApproveMessageAsync(message, silent).ConfigureAwait(false))
+                    {
+                        return false;
+                    }
+                }
+                else
+                {
+                    string message = Utils.Format(
+                        "The certificate with subject '{0}' does not contain the ApplicationUri '{1}' from the configuration. Certificate contains: {2}. Use certificate anyway?",
+                        certificate.Subject,
+                        configuration.ApplicationUri,
+                        string.Join(", ", certificateUris));
+
+                    if (!await ApproveMessageAsync(message, silent).ConfigureAwait(false))
+                    {
+                        return false;
+                    }
                 }
-            }
-            else if (!configuration.ApplicationUri.Equals(applicationUri, StringComparison.Ordinal))
-            {
-                m_logger.LogInformation(
-                    "Updated the ApplicationUri: {PreviousApplicationUri} --> {NewApplicationUri}",
-                    configuration.ApplicationUri,
-                    applicationUri);
-                configuration.ApplicationUri = applicationUri;
             }
 
-            m_logger.LogInformation("Using the ApplicationUri: {ApplicationUri}", applicationUri);
+            m_logger.LogInformation(
+                "Certificate {Certificate} validated for ApplicationUri: {ApplicationUri}",
+                certificate.AsLogSafeString(),
+                configuration.ApplicationUri);
 
             // update configuration.
             id.Certificate = certificate;
 
@@ -29,6 +29,7 @@
 
 using System;
 using System.Collections.Generic;
+using System.Linq;
 using System.Runtime.Serialization;
 using System.Security.Cryptography.X509Certificates;
 
@@ -202,7 +203,7 @@ public string ApplicationUri
                 {
                     try
                     {
-                        return X509Utils.GetApplicationUriFromCertificate(Certificate);
+                        return X509Utils.GetApplicationUrisFromCertificate(Certificate).FirstOrDefault();
                     }
                     catch (Exception e)
                     {
 
@@ -116,7 +116,23 @@ public X509SubjectAltNameExtension(string applicationUri, IEnumerable<string> do
         {
             Oid = new Oid(SubjectAltName2Oid, kFriendlyName);
             Critical = false;
-            Initialize(applicationUri, domainNames);
+            Initialize(new string[] { applicationUri }, domainNames);
+            RawData = Encode();
+            m_decoded = true;
+        }
+
+        /// <summary>
+        /// Build the Subject Alternative name extension (for OPC UA application certs).
+        /// </summary>
+        /// <param name="applicationUris">The application Uri</param>
+        /// <param name="domainNames">The domain names. DNS Hostnames, IPv4 or IPv6 addresses</param>
+        public X509SubjectAltNameExtension(
+            IEnumerable<string> applicationUris,
+            IEnumerable<string> domainNames)
+        {
+            Oid = new Oid(SubjectAltName2Oid, kFriendlyName);
+            Critical = false;
+            Initialize(applicationUris, domainNames);
             RawData = Encode();
             m_decoded = true;
         }
@@ -408,14 +424,17 @@ private void Decode(byte[] data)
         /// <summary>
         /// Initialize the Subject Alternative name extension.
         /// </summary>
-        /// <param name="applicationUri">The application Uri</param>
+        /// <param name="applicationUris">The application Uris</param>
         /// <param name="generalNames">The general names. DNS Hostnames, IPv4 or IPv6 addresses</param>
-        private void Initialize(string applicationUri, IEnumerable<string> generalNames)
+        private void Initialize(IEnumerable<string> applicationUris, IEnumerable<string> generalNames)
         {
             var uris = new List<string>();
             var domainNames = new List<string>();
             var ipAddresses = new List<string>();
-            uris.Add(applicationUri);
+            foreach (string applicationUri in applicationUris)
+            {
+                uris.Add(applicationUri);
+            }
             foreach (string generalName in generalNames)
             {
                 switch (Uri.CheckHostName(generalName))
 
@@ -529,8 +529,8 @@ private async ValueTask<UpdateCertificateMethodStateResult> UpdateCertificateAsy
                             cert.CertificateType == certificateTypeId)
                         ?? certificateGroup.ApplicationCertificates.FirstOrDefault(cert =>
                             cert.Certificate != null &&
-                            m_configuration.ApplicationUri ==
-                                X509Utils.GetApplicationUriFromCertificate(cert.Certificate) &&
+                            X509Utils.GetApplicationUrisFromCertificate(cert.Certificate)
+                                .Any(uri => uri.Equals(m_configuration.ApplicationUri, StringComparison.Ordinal)) &&
                             cert.CertificateType == certificateTypeId))
                     ?? throw new ServiceResultException(
                         StatusCodes.BadInvalidArgument,
 
@@ -380,31 +380,27 @@ X509Certificate2Collection clientCertificateChain
 
                         if (context.SecurityPolicyUri != SecurityPolicies.None)
                         {
-                            string certificateApplicationUri = X509Utils
-                                .GetApplicationUriFromCertificate(
-                                    parsedClientCertificate);
-
-                            // verify if applicationUri from ApplicationDescription matches the applicationUri in the client certificate.
-                            if (!string.IsNullOrEmpty(certificateApplicationUri) &&
-                                !string.IsNullOrEmpty(clientDescription.ApplicationUri) &&
-                                certificateApplicationUri != clientDescription.ApplicationUri)
+                            // verify if applicationUri from ApplicationDescription matches the applicationUris in the client certificate.
+                            if (!string.IsNullOrEmpty(clientDescription.ApplicationUri))
                             {
-                                // report the AuditCertificateDataMismatch event for invalid uri
-                                ServerInternal?.ReportAuditCertificateDataMismatchEvent(
-                                    parsedClientCertificate,
-                                    null,
-                                    clientDescription.ApplicationUri,
-                                    StatusCodes.BadCertificateUriInvalid,
-                                    m_logger);
+                                if (!X509Utils.CompareApplicationUriWithCertificate(parsedClientCertificate, clientDescription.ApplicationUri))
+                                {
+                                    // report the AuditCertificateDataMismatch event for invalid uri
+                                    ServerInternal?.ReportAuditCertificateDataMismatchEvent(
+                                        parsedClientCertificate,
+                                        null,
+                                        clientDescription.ApplicationUri,
+                                        StatusCodes.BadCertificateUriInvalid,
+                                        m_logger);
+
+                                    throw ServiceResultException.Create(
+                                        StatusCodes.BadCertificateUriInvalid,
+                                        "The URI specified in the ApplicationDescription {0} does not match the URIs in the Certificate.",
+                                        clientDescription.ApplicationUri);
+                                }
 
-                                throw ServiceResultException.Create(
-                                    StatusCodes.BadCertificateUriInvalid,
-                                    "The URI specified in the ApplicationDescription {0} does not match the URI in the Certificate: {1}.",
-                                    clientDescription.ApplicationUri,
-                                    certificateApplicationUri);
+                                CertificateValidator.Validate(clientCertificateChain);
                             }
-
-                            CertificateValidator.Validate(clientCertificateChain);
                         }
                     }
                     catch (Exception e)
 
@@ -722,33 +722,58 @@ public CertificateIdentifierCollection ApplicationCertificates
             get => m_applicationCertificates;
             set
             {
-                m_applicationCertificates = value ?? [];
+                if (value == null || value.Count == 0)
+                {
+                    m_applicationCertificates = new CertificateIdentifierCollection();
+                    return;
+                }
 
-                IsDeprecatedConfiguration = false;
+                var newCertificates = new CertificateIdentifierCollection(value);
 
-                // Remove any unsupported certificate types.
-                for (int i = m_applicationCertificates.Count - 1; i >= 0; i--)
+                // Remove unsupported certificate types
+                for (int i = newCertificates.Count - 1; i >= 0; i--)
                 {
-                    if (!Utils.IsSupportedCertificateType(
-                        m_applicationCertificates[i].CertificateType))
+                    if (!Utils.IsSupportedCertificateType(newCertificates[i].CertificateType))
                     {
-                        m_applicationCertificates.RemoveAt(i);
+                        // TODO: Log when ITelemetry instance is available
+                        newCertificates.RemoveAt(i);
                     }
                 }
 
-                // Remove any duplicates
-                for (int i = 0; i < m_applicationCertificates.Count; i++)
+                // Remove any duplicates based on thumbprint
+                // Only perform duplicate detection if we have actual loaded certificates
+                for (int i = 0; i < newCertificates.Count; i++)
                 {
-                    for (int j = m_applicationCertificates.Count - 1; j > i; j--)
+                    for (int j = newCertificates.Count - 1; j > i; j--)
                     {
-                        if (m_applicationCertificates[i]
-                                .CertificateType == m_applicationCertificates[j].CertificateType)
+                        bool isDuplicate = false;
+
+                        // Only check for duplicates if both certificates are actually loaded
+                        if (newCertificates[i].Certificate != null && newCertificates[j].Certificate != null)
+                        {
+                            // Compare by actual certificate thumbprint
+                            isDuplicate = newCertificates[i].Certificate.Thumbprint.Equals(
+                                newCertificates[j].Certificate.Thumbprint,
+                                StringComparison.OrdinalIgnoreCase);
+                        }
+                        // If certificates aren't loaded yet, compare by explicit thumbprint configuration
+                        else if (!string.IsNullOrEmpty(newCertificates[i].Thumbprint) &&
+                                 !string.IsNullOrEmpty(newCertificates[j].Thumbprint))
+                        {
+                            isDuplicate = newCertificates[i].Thumbprint.Equals(
+                                newCertificates[j].Thumbprint,
+                                StringComparison.OrdinalIgnoreCase);
+                        }
+
+                        if (isDuplicate)
                         {
-                            m_applicationCertificates.RemoveAt(j);
+                            newCertificates.RemoveAt(j);
                         }
                     }
                 }
 
+                m_applicationCertificates = newCertificates;
+                
                 SupportedSecurityPolicies = BuildSupportedSecurityPolicies();
             }
         }
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@`
`29`	`29`
`30`	`30`	`using System;`
`31`	`31`	`using System.Collections.Generic;`
	`32`	`+using System.Linq;`
`32`	`33`	`using System.Runtime.Serialization;`
`33`	`34`	`using System.Security.Cryptography.X509Certificates;`
`34`	`35`
`@@ -202,7 +203,7 @@ public string ApplicationUri`
`202`	`203`	`{`
`203`	`204`	`try`
`204`	`205`	`{`
`205`		`- return X509Utils.GetApplicationUriFromCertificate(Certificate);`
	`206`	`+ return X509Utils.GetApplicationUrisFromCertificate(Certificate).FirstOrDefault();`
`206`	`207`	`}`
`207`	`208`	`catch (Exception e)`
`208`	`209`	`{`
Original file line number	Diff line number	Diff line change
`@@ -722,33 +722,58 @@ public CertificateIdentifierCollection ApplicationCertificates`
`722`	`722`	`get => m_applicationCertificates;`
`723`	`723`	`set`
`724`	`724`	`{`
`725`		`- m_applicationCertificates = value ?? [];`
	`725`	`+ if (value == null \|\| value.Count == 0)`
	`726`	`+ {`
	`727`	`+ m_applicationCertificates = new CertificateIdentifierCollection();`
	`728`	`+ return;`
	`729`	`+ }`
`726`	`730`
`727`		`- IsDeprecatedConfiguration = false;`
	`731`	`+ var newCertificates = new CertificateIdentifierCollection(value);`
`728`	`732`
`729`		`- // Remove any unsupported certificate types.`
`730`		`- for (int i = m_applicationCertificates.Count - 1; i >= 0; i--)`
	`733`	`+ // Remove unsupported certificate types`
	`734`	`+ for (int i = newCertificates.Count - 1; i >= 0; i--)`
`731`	`735`	`{`
`732`		`- if (!Utils.IsSupportedCertificateType(`
`733`		`- m_applicationCertificates[i].CertificateType))`
	`736`	`+ if (!Utils.IsSupportedCertificateType(newCertificates[i].CertificateType))`
`734`	`737`	`{`
`735`		`- m_applicationCertificates.RemoveAt(i);`
	`738`	`+ // TODO: Log when ITelemetry instance is available`
	`739`	`+ newCertificates.RemoveAt(i);`
`736`	`740`	`}`
`737`	`741`	`}`
`738`	`742`
`739`		`- // Remove any duplicates`
`740`		`- for (int i = 0; i < m_applicationCertificates.Count; i++)`
	`743`	`+ // Remove any duplicates based on thumbprint`
	`744`	`+ // Only perform duplicate detection if we have actual loaded certificates`
	`745`	`+ for (int i = 0; i < newCertificates.Count; i++)`
`741`	`746`	`{`
`742`		`- for (int j = m_applicationCertificates.Count - 1; j > i; j--)`
	`747`	`+ for (int j = newCertificates.Count - 1; j > i; j--)`
`743`	`748`	`{`
`744`		`- if (m_applicationCertificates[i]`
`745`		`- .CertificateType == m_applicationCertificates[j].CertificateType)`
	`749`	`+ bool isDuplicate = false;`
	`750`	`+`
	`751`	`+ // Only check for duplicates if both certificates are actually loaded`
	`752`	`+ if (newCertificates[i].Certificate != null && newCertificates[j].Certificate != null)`
	`753`	`+ {`
	`754`	`+ // Compare by actual certificate thumbprint`
	`755`	`+ isDuplicate = newCertificates[i].Certificate.Thumbprint.Equals(`
	`756`	`+ newCertificates[j].Certificate.Thumbprint,`
	`757`	`+ StringComparison.OrdinalIgnoreCase);`
	`758`	`+ }`
	`759`	`+ // If certificates aren't loaded yet, compare by explicit thumbprint configuration`
	`760`	`+ else if (!string.IsNullOrEmpty(newCertificates[i].Thumbprint) &&`
	`761`	`+ !string.IsNullOrEmpty(newCertificates[j].Thumbprint))`
	`762`	`+ {`
	`763`	`+ isDuplicate = newCertificates[i].Thumbprint.Equals(`
	`764`	`+ newCertificates[j].Thumbprint,`
	`765`	`+ StringComparison.OrdinalIgnoreCase);`
	`766`	`+ }`
	`767`	`+`
	`768`	`+ if (isDuplicate)`
`746`	`769`	`{`
`747`		`- m_applicationCertificates.RemoveAt(j);`
	`770`	`+ newCertificates.RemoveAt(j);`
`748`	`771`	`}`
`749`	`772`	`}`
`750`	`773`	`}`
`751`	`774`
	`775`	`+ m_applicationCertificates = newCertificates;`
	`776`	`+`
`752`	`777`	`SupportedSecurityPolicies = BuildSupportedSecurityPolicies();`
`753`	`778`	`}`
`754`	`779`	`}`