.. _howto:

How to:
=======

Connect in secured mode.
-------------------------

To connect in secured mode, set option ``securityMode`` in the ClientConfiguration to ``SecurityMode(SecurityPolicyId::Basic256Sha256, MessageSecurityMode::SignAndEncrypt)``.

Certificate validation rules defined in option ``certificateSettings.validationRules`` of the ClientConfiguration. 
    
If the server certificate is not valid or trusted, it will be saved in the ``./data/PKI/rejected`` folder. To trust the certificate, move it to the folder ``./data/PKI/trusted/certs``. If the certificate is signed by CA, then one certificate from the chain should be placed in the ``./data/PKI/trusted/certs`` folder, all CA certificates must be placed either into the ``./data/PKI/trusted/certs`` or ``./data/PKI/issuer/certs`` folder, and all certificate revocation lists should be placed into the  ``./data/PKI/crl`` folder.

By default the SDK creates CA certificate and signs application instance certificate with it, and stores them in the ``./data/PKI`` folder, relative to the work directory. 3 files required to configure the server to trust the client certificate:

1. ``./data/PKI/own/certs/ca-cert.der`` - CA Certificate - copy it into the trusted or issuer certificates folder in the server side. Locations depend on the server. In case of OPC UA C++ Demo server from Unified Automation, default location of the trusted certificates is ``C:\ProgramData\UnifiedAutomation\UaCPPServer\pkiserver\trusted\certs``, issuers - in folder ``C:\ProgramData\UnifiedAutomation\UaCPPServer\pkiserver\issuers\certs``.

Difference between putting CA Certificate into trusted or issuers list: if you put it into the trusted folder, then all certificates signed by it directly or indirectly will be trusted by the server. If you put it into the issuers list - application instance certificate needs to be placed into the trusted list. 

2.	``./data/PKI/own/certs/ca-cert.crl`` - revocation list for the CA certificate - for UA Demo server copy it to the folder ``C:\ProgramData\UnifiedAutomation\UaCPPServer\pkiserver\trusted\crl``

3.	``./data/PKI/own/certs/public_Basic256Sha256.der`` - Application instance certificate - if the CA certificate is in the trusted list folder of the server, no need to copy this one. If the CA Certificate is in the issuers list, then copy it into the trusted certificates folder of the server (UA Demo server - C:\ProgramData\UnifiedAutomation\UaCPPServer\pkiserver\trusted\certs).