[#870]: Allow setting a certificate chain

opc-ua-sdk/sdk-server/src/main/java/org/eclipse/milo/opcua/sdk/server/api/config/OpcUaServerConfigBuilder.java

@@ -118,11 +118,18 @@ public OpcUaServerConfigBuilder setHttpsKeyPair(KeyPair httpsKeyPair) {
     }
 
     @Override
+    @Deprecated
     public OpcUaServerConfigBuilder setHttpsCertificate(X509Certificate httpsCertificate) {
         super.setHttpsCertificate(httpsCertificate);
         return this;
     }
 
+    @Override
+    public OpcUaServerConfigBuilder setHttpsCertificateChain(X509Certificate[] httpsCertificate) {
+        super.setHttpsCertificateChain(httpsCertificate);
+        return this;
+    }
+
     @Override
     public OpcUaServerConfigBuilder setExecutor(ExecutorService executor) {
         super.setExecutor(executor);
@@ -251,8 +258,8 @@ public Optional<KeyPair> getHttpsKeyPair() {
         }
 
         @Override
-        public Optional<X509Certificate> getHttpsCertificate() {
-            return stackServerConfig.getHttpsCertificate();
+        public Optional<X509Certificate[]> getHttpsCertificateChain() {
+            return stackServerConfig.getHttpsCertificateChain();
         }
 
         @Override

opc-ua-stack/stack-server/src/main/java/org/eclipse/milo/opcua/stack/server/UaStackServerConfig.java

@@ -98,8 +98,18 @@ public interface UaStackServerConfig {
 
     /**
      * @return the {@link X509Certificate} used for SSL/TLS with HTTPS endpoints.
+     * @deprecated This will only return the leaf certificate, use @{{@link #getHttpsCertificateChain()}} to get the
+     * full chain.
      */
-    Optional<X509Certificate> getHttpsCertificate();
+    @Deprecated
+    default Optional<X509Certificate> getHttpsCertificate() {
+        return getHttpsCertificateChain().flatMap(chain -> Optional.ofNullable(chain[0]));
+    }
+
+    /**
+     * @return the {@link X509Certificate} used for SSL/TLS with HTTPS endpoints.
+     */
+    Optional<X509Certificate[]> getHttpsCertificateChain();
 
     /**
      * @return the {@link ExecutorService} for this server.
@@ -136,7 +146,7 @@ static UaStackServerConfigBuilder copy(UaStackServerConfig config) {
         builder.setTrustListManager(config.getTrustListManager());
         builder.setCertificateValidator(config.getCertificateValidator());
         builder.setHttpsKeyPair(config.getHttpsKeyPair().orElse(null));
-        builder.setHttpsCertificate(config.getHttpsCertificate().orElse(null));
+        builder.setHttpsCertificateChain(config.getHttpsCertificateChain().orElse(null));
         builder.setExecutor(config.getExecutor());
 
         return builder;

opc-ua-stack/stack-server/src/main/java/org/eclipse/milo/opcua/stack/server/UaStackServerConfigBuilder.java

@@ -49,7 +49,7 @@ public class UaStackServerConfigBuilder {
     private ServerCertificateValidator certificateValidator;
 
     private KeyPair httpsKeyPair;
-    private X509Certificate httpsCertificate;
+    private X509Certificate[] httpsCertificate;
 
     private ExecutorService executor;
 
@@ -108,11 +108,17 @@ public UaStackServerConfigBuilder setHttpsKeyPair(KeyPair httpsKeyPair) {
         return this;
     }
 
-    public UaStackServerConfigBuilder setHttpsCertificate(X509Certificate httpsCertificate) {
+    public UaStackServerConfigBuilder setHttpsCertificateChain(X509Certificate[] httpsCertificate) {
         this.httpsCertificate = httpsCertificate;
         return this;
     }
 
+    @Deprecated
+    public UaStackServerConfigBuilder setHttpsCertificate(X509Certificate httpsCertificate) {
+        this.httpsCertificate = new X509Certificate[] { httpsCertificate };
+        return this;
+    }
+
     public UaStackServerConfigBuilder setExecutor(ExecutorService executor) {
         this.executor = executor;
         return this;
@@ -159,7 +165,7 @@ private static class UaStackServerConfigImpl implements UaStackServerConfig {
         private final TrustListManager trustListManager;
 
         private final KeyPair httpsKeyPair;
-        private final X509Certificate httpsCertificate;
+        private final X509Certificate[] httpsCertificate;
 
         private final ExecutorService executor;
 
@@ -175,7 +181,7 @@ private static class UaStackServerConfigImpl implements UaStackServerConfig {
             TrustListManager trustListManager,
             ServerCertificateValidator certificateValidator,
             @Nullable KeyPair httpsKeyPair,
-            @Nullable X509Certificate httpsCertificate,
+            @Nullable X509Certificate[] httpsCertificate,
             ExecutorService executor
         ) {
 
@@ -250,7 +256,7 @@ public Optional<KeyPair> getHttpsKeyPair() {
         }
 
         @Override
-        public Optional<X509Certificate> getHttpsCertificate() {
+        public Optional<X509Certificate[]> getHttpsCertificateChain() {
             return Optional.ofNullable(httpsCertificate);
         }
 

opc-ua-stack/stack-server/src/main/java/org/eclipse/milo/opcua/stack/server/transport/http/OpcServerHttpChannelInitializer.java

@@ -55,7 +55,7 @@ public OpcServerHttpChannelInitializer(UaStackServer stackServer) {
         this.stackServer = stackServer;
 
         KeyPair keyPair = stackServer.getConfig().getHttpsKeyPair().orElse(null);
-        X509Certificate httpsCertificate = stackServer.getConfig().getHttpsCertificate().orElse(null);
+        X509Certificate[] httpsCertificate = stackServer.getConfig().getHttpsCertificateChain().orElse(null);
 
         if (keyPair != null && httpsCertificate != null) {
             try {