WIP

milo-examples/client-examples/src/main/java/org/eclipse/milo/examples/client/ClientExampleRunner.java

@@ -119,9 +119,12 @@ public void run() {
                 );
 
                 // Make the example client trust the example server certificate by default.
-                exampleServer.getServer().getConfig().getCertificateManager().getCertificates().forEach(
-                    certificate ->
-                        trustListManager.addTrustedCertificate(certificate)
+                exampleServer.getServer().getConfig().getCertificateManager().getCertificateGroups().forEach(
+                    certificateGroup ->
+                        certificateGroup.getCertificateRecords().forEach(
+                            record ->
+                                trustListManager.addTrustedCertificate(record.certificateChain[0])
+                        )
                 );
             }
 

milo-examples/server-examples/src/main/java/org/eclipse/milo/examples/server/ExampleServer.java

@@ -14,6 +14,7 @@
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.security.KeyPair;
 import java.security.Security;
 import java.security.cert.X509Certificate;
 import java.util.LinkedHashSet;
@@ -34,13 +35,15 @@
 import org.eclipse.milo.opcua.sdk.server.util.HostnameUtil;
 import org.eclipse.milo.opcua.stack.core.StatusCodes;
 import org.eclipse.milo.opcua.stack.core.UaRuntimeException;
+import org.eclipse.milo.opcua.stack.core.security.CertificateManager;
 import org.eclipse.milo.opcua.stack.core.security.DefaultCertificateManager;
 import org.eclipse.milo.opcua.stack.core.security.DefaultServerCertificateValidator;
 import org.eclipse.milo.opcua.stack.core.security.DefaultTrustListManager;
 import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
 import org.eclipse.milo.opcua.stack.core.transport.TransportProfile;
 import org.eclipse.milo.opcua.stack.core.types.builtin.DateTime;
 import org.eclipse.milo.opcua.stack.core.types.builtin.LocalizedText;
+import org.eclipse.milo.opcua.stack.core.types.builtin.NodeId;
 import org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode;
 import org.eclipse.milo.opcua.stack.core.types.structured.BuildInfo;
 import org.eclipse.milo.opcua.stack.core.util.CertificateUtil;
@@ -100,9 +103,19 @@ public ExampleServer() throws Exception {
 
         KeyStoreLoader loader = new KeyStoreLoader().load(securityTempDir);
 
-        var certificateManager = new DefaultCertificateManager(
-            loader.getServerKeyPair(),
-            loader.getServerCertificateChain()
+        var certificateManager = DefaultCertificateManager.createWithDefaultApplicationGroup(
+            pkiDir.toPath(),
+            new CertificateManager.CertificateFactory() {
+                @Override
+                public KeyPair createKeyPair(NodeId certificateTypeId) {
+                    return loader.getServerKeyPair();
+                }
+
+                @Override
+                public X509Certificate[] createCertificateChain(NodeId certificateTypeId, KeyPair keyPair) {
+                    return loader.getServerCertificateChain();
+                }
+            }
         );
 
         var trustListManager = new DefaultTrustListManager(pkiDir);
@@ -123,16 +136,7 @@ public ExampleServer() throws Exception {
 
         var x509IdentityValidator = new X509IdentityValidator(c -> true);
 
-        // If you need to use multiple certificates you'll have to be smarter than this.
-        X509Certificate certificate = certificateManager.getCertificates()
-            .stream()
-            .findFirst()
-            .orElseThrow(
-                () -> new UaRuntimeException(
-                    StatusCodes.Bad_ConfigurationError,
-                    "no certificate found"
-                )
-            );
+        X509Certificate certificate = loader.getServerCertificate();
 
         // The configured application URI must match the one in the certificate(s)
         String applicationUri = CertificateUtil

opc-ua-sdk/integration-tests/src/test/java/org/eclipse/milo/opcua/sdk/test/TestServer.java

@@ -30,13 +30,15 @@
 import org.eclipse.milo.opcua.sdk.server.util.HostnameUtil;
 import org.eclipse.milo.opcua.stack.core.StatusCodes;
 import org.eclipse.milo.opcua.stack.core.UaRuntimeException;
+import org.eclipse.milo.opcua.stack.core.security.CertificateManager;
 import org.eclipse.milo.opcua.stack.core.security.DefaultCertificateManager;
 import org.eclipse.milo.opcua.stack.core.security.DefaultServerCertificateValidator;
 import org.eclipse.milo.opcua.stack.core.security.DefaultTrustListManager;
 import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
 import org.eclipse.milo.opcua.stack.core.transport.TransportProfile;
 import org.eclipse.milo.opcua.stack.core.types.builtin.DateTime;
 import org.eclipse.milo.opcua.stack.core.types.builtin.LocalizedText;
+import org.eclipse.milo.opcua.stack.core.types.builtin.NodeId;
 import org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode;
 import org.eclipse.milo.opcua.stack.core.types.structured.BuildInfo;
 import org.eclipse.milo.opcua.stack.core.util.CertificateUtil;
@@ -85,17 +87,28 @@ public static OpcUaServer create(int port) throws Exception {
         LoggerFactory.getLogger(TestServer.class)
             .info("security temp dir: {}", securityTempDir.getAbsolutePath());
 
+        File pkiDir = securityTempDir.toPath().resolve("pki").toFile();
+        LoggerFactory.getLogger(TestServer.class)
+            .info("pki dir: {}", pkiDir.getAbsolutePath());
+
         KeyStoreLoader loader = new KeyStoreLoader().load(securityTempDir);
 
-        DefaultCertificateManager certificateManager = new DefaultCertificateManager(
-            loader.getServerKeyPair(),
-            loader.getServerCertificateChain()
+        DefaultCertificateManager certificateManager = DefaultCertificateManager.createWithDefaultApplicationGroup(
+            pkiDir.toPath(),
+            new CertificateManager.CertificateFactory() {
+                @Override
+                public KeyPair createKeyPair(NodeId certificateTypeId) {
+                    return loader.getServerKeyPair();
+                }
+
+                @Override
+                public X509Certificate[] createCertificateChain(NodeId certificateTypeId, KeyPair keyPair) {
+                    return loader.getServerCertificateChain();
+                }
+            }
         );
 
-        File pkiDir = securityTempDir.toPath().resolve("pki").toFile();
         DefaultTrustListManager trustListManager = new DefaultTrustListManager(pkiDir);
-        LoggerFactory.getLogger(TestServer.class)
-            .info("pki dir: {}", pkiDir.getAbsolutePath());
 
         DefaultServerCertificateValidator certificateValidator =
             new DefaultServerCertificateValidator(trustListManager);
@@ -123,11 +136,7 @@ public static OpcUaServer create(int port) throws Exception {
             }
         );
 
-        // If you need to use multiple certificates you'll have to be smarter than this.
-        X509Certificate certificate = certificateManager.getCertificates()
-            .stream()
-            .findFirst()
-            .orElseThrow(() -> new UaRuntimeException(StatusCodes.Bad_ConfigurationError, "no certificate found"));
+        X509Certificate certificate = loader.getServerCertificate();
 
         // The configured application URI must match the one in the certificate(s)
         String applicationUri = CertificateUtil

opc-ua-sdk/sdk-server/src/main/java/org/eclipse/milo/opcua/sdk/server/OpcUaServerConfig.java

@@ -22,7 +22,6 @@
 import org.eclipse.milo.opcua.sdk.server.identity.X509IdentityValidator;
 import org.eclipse.milo.opcua.stack.core.channel.EncodingLimits;
 import org.eclipse.milo.opcua.stack.core.security.CertificateManager;
-import org.eclipse.milo.opcua.stack.core.security.CertificateManager2;
 import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
 import org.eclipse.milo.opcua.stack.core.security.ServerCertificateValidator;
 import org.eclipse.milo.opcua.stack.core.security.TrustListManager;
@@ -129,10 +128,6 @@ public interface OpcUaServerConfig {
      */
     CertificateManager getCertificateManager();
 
-    default CertificateManager2 getCertificateManager2() {
-        return null; // TODO
-    }
-
     /**
      * @return the {@link TrustListManager} for this server.
      */

opc-ua-sdk/sdk-tests/src/test/java/org/eclipse/milo/opcua/sdk/client/TestCertificateManager.java

@@ -12,11 +12,13 @@
 
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
+import java.util.Collections;
+import java.util.List;
 import java.util.Optional;
-import java.util.Set;
 
 import org.eclipse.milo.opcua.stack.core.security.CertificateManager;
 import org.eclipse.milo.opcua.stack.core.types.builtin.ByteString;
+import org.eclipse.milo.opcua.stack.core.types.builtin.NodeId;
 
 public class TestCertificateManager implements CertificateManager {
 
@@ -44,13 +46,13 @@ public Optional<X509Certificate[]> getCertificateChain(ByteString thumbprint) {
     }
 
     @Override
-    public Set<KeyPair> getKeyPairs() {
-        return Set.of(keyPair);
+    public Optional<CertificateGroup> getCertificateGroup(NodeId certificateGroupId) {
+        return Optional.empty();
     }
 
     @Override
-    public Set<X509Certificate> getCertificates() {
-        return Set.of(certificate);
+    public List<CertificateGroup> getCertificateGroups() {
+        return Collections.emptyList();
     }
 
 }