5 files changed, 59 insertions, 4 deletions
diff --git a/readme.md b/readme.md
index c524bc2..6011d40 100644
--- a/readme.md
+++ b/readme.md
@@ -28,8 +28,11 @@ cd opcua_c
 The programs use TLS certificates for mutual authentication. ServerLDS and
 ServerRegister can also run without certificates (SecurityPolicy#None only) by
 omitting the `certificate`, `privateKey`, and `trustStore` keys from their
-config files. For encrypted operation, four identities are needed — run these
-from the project root:
+config files.
+
+For encrypted operation, four identities are needed. Each call to
+`tools/generate_certificate.sh` creates a self-signed RSA-2048 certificate
+(`<name>_cert.der`) and private key (`<name>_key.der`) in the given directory:
 
 ```sh
 tools/generate_certificate.sh certs ServerLDS
@@ -38,10 +41,18 @@ tools/generate_certificate.sh certs ServerRegisterClient
 tools/generate_certificate.sh certs ClientFindServers
 ```
 
+| Identity | Used by | Purpose |
+|----------|---------|---------|
+| `ServerLDS` | ServerLDS | Server certificate for the LDS |
+| `ServerRegister` | ServerRegister | Server certificate for the registering server |
+| `ServerRegisterClient` | ServerRegister | Client certificate used when connecting to the LDS |
+| `ClientFindServers` | Client | Client certificate for all client operations |
+
 ### Populate the trust stores
 
-Each program trusts a specific set of peers. Create symlinks to the
-certificates in the trust store directories so they can find each other:
+OPC UA applications only accept connections from peers whose certificate is in
+their trust store. Create the trust store directories and symlink each peer's
+certificate:
 
 ```sh
 mkdir -p certs/trust/{server_lds,server_register,server_register_client,client}
diff --git a/tests/aes256_anon/client.conf b/tests/aes256_anon/client.conf
new file mode 100644
index 0000000..2818355
--- /dev/null
+++ b/tests/aes256_anon/client.conf
@@ -0,0 +1,9 @@
+# Client — test: aes256_anon
+
+applicationUri = urn:localhost:bobink:ClientFindServers
+certificate = certs/ClientFindServers_cert.der
+privateKey = certs/ClientFindServers_key.der
+securityMode = SignAndEncrypt
+securityPolicy = Aes256_Sha256_RsaPss
+authMode = anonymous
+trustStore = certs/trust/client
diff --git a/tests/aes256_anon/server_lds.conf b/tests/aes256_anon/server_lds.conf
new file mode 100644
index 0000000..587820f
--- /dev/null
+++ b/tests/aes256_anon/server_lds.conf
@@ -0,0 +1,11 @@
+# ServerLDS — test: aes256_anon
+
+port = 14840
+applicationUri = urn:localhost:bobink:ServerLDS
+certificate = certs/ServerLDS_cert.der
+privateKey = certs/ServerLDS_key.der
+cleanupTimeout = 60
+
+authMode = anonymous
+
+trustStore = certs/trust/server_lds
diff --git a/tests/aes256_anon/server_register.conf b/tests/aes256_anon/server_register.conf
new file mode 100644
index 0000000..a2ce852
--- /dev/null
+++ b/tests/aes256_anon/server_register.conf
@@ -0,0 +1,12 @@
+# ServerRegister server config — test: aes256_anon
+
+port = 14841
+applicationUri = urn:localhost:bobink:ServerRegister
+certificate = certs/ServerRegister_cert.der
+privateKey = certs/ServerRegister_key.der
+
+registerInterval = 10
+
+authMode = anonymous
+
+trustStore = certs/trust/server_register
diff --git a/tests/aes256_anon/server_register_client.conf b/tests/aes256_anon/server_register_client.conf
new file mode 100644
index 0000000..46e8659
--- /dev/null
+++ b/tests/aes256_anon/server_register_client.conf
@@ -0,0 +1,12 @@
+# ServerRegister client config — test: aes256_anon
+
+applicationUri = urn:localhost:bobink:ServerRegister
+certificate = certs/ServerRegisterClient_cert.der
+privateKey = certs/ServerRegisterClient_key.der
+
+securityMode = SignAndEncrypt
+securityPolicy = Aes256_Sha256_RsaPss
+
+authMode = anonymous
+
+trustStore = certs/trust/server_register_client