1. Client sends its certificate to the user.
2. Server checks if the certificate is trusted:
   • If not trusted, the server rejects the connection.
   • Admin must manually trust the client certificate by moving it from rejected to trusted folder in the server config.
3. After the certificate is trusted, server sends it to the client.
4. Client verifies the server certificate against its Truststore.

   If verification succeeds, a secure channel is established.

To trust the OPC UA server, you must first obtain the server’s certificate in DER format (server-cert.der), then run the following command:

keytool -import -trustcacerts \
  -alias myservercert \
  -file server-cert.der \
  -keystore truststore.jks \
  -storepass changeit

The following Bash script generates a self-signed client certificate, a private key, and packages them into a .pfx keystore (PKCS#12 format) for use with OPC UA clients.

1. Create the script.
   1. Save the following script to a file, for example, generate_client_cert.sh:

      #!/bin/bash
      
      # === Certificate Metadata ===
      ORG_NAME="SnapLogic"
      COMMON_NAME="SnapLogic OPC UA Client"
      ORG_UNIT="Integration"
      LOCALITY="San Mateo"
      STATE="CA"
      COUNTRY="US"
      VALIDITY_DAYS=3650
      PFX_PASSWORD="password"
      PFX_ALIAS="client-ai"
      APP_URI="urn:snaplogic:opcua:client"
      
      # === Create OpenSSL Configuration ===
      cat > openssl_opcua.cnf <<EOL
      [ req ]
      default_bits       = 2048
      default_md         = sha256
      default_keyfile    = private_key.pem
      distinguished_name = req_distinguished_name
      x509_extensions    = v3_req
      prompt             = no
      
      [ req_distinguished_name ]
      C  = $COUNTRY
      ST = $STATE
      L  = $LOCALITY
      O  = $ORG_NAME
      OU = $ORG_UNIT
      CN = $COMMON_NAME
      
      [ v3_req ]
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid,issuer
      basicConstraints = CA:FALSE
      keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
      extendedKeyUsage = clientAuth, serverAuth
      subjectAltName = @alt_names
      [ alt_names ]
      URI.1 = $APP_URI
      EOL
      
      # === Generate Private Key ===
      openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
      
      # === Generate CSR ===
      openssl req -new -key private_key.pem -out client.csr -config openssl_opcua.cnf
      
      # === Generate Self-Signed Certificate ===
      openssl x509 -req -days $VALIDITY_DAYS -in client.csr -signkey private_key.pem -out client_cert.pem -extensions v3_req -extfile openssl_opcua.cnf
      
      # === Export DER Format Certificate ===
      openssl x509 -in client_cert.pem -outform der -out client_cert.der
      
      # === Create PKCS#12 Keystore ===
      openssl pkcs12 -export -out client_cert.pfx -inkey private_key.pem -in client_cert.pem \
        -name $PFX_ALIAS -password pass:$PFX_PASSWORD
      
      # === Cleanup ===
      rm client.csr openssl_opcua.cnf
      
      # === Output Summary ===
      echo "Client certificate and keystore created successfully:"
      
      echo " - Private Key        : private_key.pem"
      echo " - PEM Certificate    : client_cert.pem"
      echo " - DER Certificate    : client_cert.der"
      echo " - PKCS#12 Keystore   : client_cert.pfx"
      echo "   (Alias: $PFX_ALIAS, Password: $PFX_PASSWORD)"

2. Run the script.
   1. Make the script executable and run it:

      chmod +x generate_client_cert.sh
      ./generate_client_cert.sh