1 files changed, 16 insertions, 6 deletions

diff --git a/src/server_register.c b/src/server_register.c
index 8f23d1c..705fc18 100644
--- a/src/server_register.c
+++ b/src/server_register.c
@@ -50,6 +50,7 @@ typedef struct
   int logLevel;
   const char *username;
   const char *password;
+  UA_Boolean certAuth;
 } LdsClientParams;
 
 /**
@@ -65,9 +66,9 @@ makeLdsClientConfig (UA_ClientConfig *cc, const LdsClientParams *p)
   UA_StatusCode rv;
   if (p->certPath)
     {
-      rv = createSecureClientConfig (cc, p->appUri, p->certPath, p->keyPath,
-                                     p->trustPaths, p->trustSize,
-                                     p->securityMode, p->securityPolicyUri);
+      rv = createSecureClientConfig (
+          cc, p->appUri, p->certPath, p->keyPath, p->trustPaths, p->trustSize,
+          p->securityMode, p->securityPolicyUri, p->certAuth);
     }
   else
     {
@@ -157,7 +158,7 @@ main (int argc, char **argv)
   UA_Boolean serverAllowAnonymous;
   const char *serverUsername = NULL, *serverPassword = NULL;
   if (parseAuthConfig (&serverCfg, "ServerRegister", &serverAllowAnonymous,
-                       &serverUsername, &serverPassword)
+                       &serverUsername, &serverPassword, NULL)
       != 0)
     goto cleanup;
 
@@ -230,8 +231,9 @@ main (int argc, char **argv)
     }
 
   const char *clientUsername = NULL, *clientPassword = NULL;
+  UA_Boolean clientCertAuth = false;
   if (parseAuthConfig (&clientCfg, "ServerRegister", NULL, &clientUsername,
-                       &clientPassword)
+                       &clientPassword, &clientCertAuth)
       != 0)
     goto cleanup;
 
@@ -254,13 +256,20 @@ main (int argc, char **argv)
     {
       retval = UA_AccessControl_default (serverConfig, true, NULL, 0, NULL);
     }
-  else
+  else if (serverUsername)
     {
       UA_UsernamePasswordLogin logins[1];
       logins[0].username = UA_STRING ((char *)serverUsername);
       logins[0].password = UA_STRING ((char *)serverPassword);
       retval = UA_AccessControl_default (serverConfig, false, NULL, 1, logins);
     }
+  else
+    {
+      /* cert auth — sessionPKI.verifyCertificate is set by createServer
+         via setDefaultWithSecureSecurityPolicies, so UA_AccessControl_default
+         will automatically advertise the X509 certificate token policy. */
+      retval = UA_AccessControl_default (serverConfig, false, NULL, 0, NULL);
+    }
   if (retval != UA_STATUSCODE_GOOD)
     goto cleanup;
 
@@ -278,6 +287,7 @@ main (int argc, char **argv)
     .logLevel = logLevel,
     .username = clientUsername,
     .password = clientPassword,
+    .certAuth = clientCertAuth,
   };
 
   /* Use run_startup + manual event loop (instead of UA_Server_run) so we