Add X509 certificate identity token authentication

Support authMode=cert alongside anonymous and user. The client
reuses its application certificate as the X509 identity token
(open62541 requires both to match). Server-side access control
advertises the certificate token policy automatically when
sessionPKI is configured.

1 files changed, 8 insertions, 1 deletions

diff --git a/readme.md b/readme.md
index a40d14b..dcdf8a1 100644
--- a/readme.md
+++ b/readme.md
@@ -107,13 +107,14 @@ All three programs accept an optional log level as the last argument
 
 ## Tests
 
-Integration tests exercise three combinations of security and authentication:
+Integration tests exercise four combinations of security and authentication:
 
 | Test | Security | Auth |
 |------|----------|------|
 | `unsecure_anonymous` | None / None | anonymous |
 | `secure_anonymous` | SignAndEncrypt / Basic256Sha256 | anonymous |
 | `secure_user` | SignAndEncrypt / Basic256Sha256 | user/password |
+| `secure_cert` | SignAndEncrypt / Basic256Sha256 | X509 certificate |
 
 Run all tests:
 
@@ -143,3 +144,9 @@ cmake --build build --parallel
 
 Programs are configured through plain text files (`key = value`, one per line).
 Example configs are in `config/`.
+
+Three authentication modes are supported via the `authMode` key:
+
+- **anonymous** — no user identity
+- **user** — username and password (requires `username` and `password` keys)
+- **cert** — X509 certificate identity token (reuses the application certificate; requires encryption to be configured)