feat(opcua): F13a — cert auto-creation in OpcUaApplicationHost

Adds OPC UA SDK's CheckApplicationInstanceCertificate call to
OpcUaApplicationHost.StartAsync, removing the v1 friction of needing to
pre-create the PKI directory tree before booting.

- New OpcUaApplicationHostOptions.PkiStoreRoot (defaults to "pki")
- BuildConfigurationAsync now derives own/issuer/trusted/rejected from
  PkiStoreRoot so the cert paths are configurable + consistent
- EnsureApplicationCertificateAsync runs before StandardServer.Start, and
  fails fast with a clear message if the SDK can't produce a valid cert
- 2 new tests: fresh-tree creates a cert, second boot reuses it

Partial slice of follow-up F13. Endpoint-security, user-token validator,
and observability wiring still pending in the F13 follow-up. OpcUaServer
tests: 4 → 6.

src/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer/OpcUaApplicationHost.cs

@@ -19,6 +19,13 @@ public sealed class OpcUaApplicationHostOptions
 
     /// <summary>Application config XML path; when set, loaded instead of building from defaults.</summary>
     public string? ApplicationConfigPath { get; set; }
+
+    /// <summary>
+    /// Root of the application's PKI hierarchy. Sub-stores (<c>own</c>, <c>issuer</c>,
+    /// <c>trusted</c>, <c>rejected</c>) are created under this path on first start. Defaults
+    /// to "pki" (relative to the host's working directory) to keep dev flows identical to v1.
+    /// </summary>
+    public string PkiStoreRoot { get; set; } = "pki";
 }
 
 /// <summary>
@@ -60,14 +67,35 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
         };
 
         _ = await BuildConfigurationAsync(cancellationToken);
-        // Certificate validation + auto-creation is part of the full extraction (F13).
-        // For the facade we trust that the configured cert store already exists.
+        await EnsureApplicationCertificateAsync(cancellationToken).ConfigureAwait(false);
         await _application.Start(server).ConfigureAwait(false);
 
         _logger.LogInformation("OPC UA server started on opc.tcp://{Host}:{Port}",
             _options.PublicHostname, _options.OpcUaPort);
     }
 
+    /// <summary>
+    /// Guarantees the application instance certificate exists in <c>{PkiStoreRoot}/own</c>.
+    /// The SDK auto-creates a self-signed certificate the first time this is called on a fresh
+    /// PKI tree; subsequent boots reuse the existing cert. Replaces v1's manual "you must
+    /// pre-create the PKI directory tree" friction. Partial slice of follow-up F13 — the
+    /// remaining endpoint-security, user-token validator, and observability wiring stays in
+    /// the follow-up queue.
+    /// </summary>
+    private async Task EnsureApplicationCertificateAsync(CancellationToken cancellationToken)
+    {
+        // silent: false → SDK logs cert creation events through its own trace plumbing.
+        // minimumKeySize/lifetimeInMonths: 0 → use SDK defaults (2048-bit, 12-month lifetime).
+        var ok = await _application!.CheckApplicationInstanceCertificate(
+            silent: false, minimumKeySize: 0, lifeTimeInMonths: 0, ct: cancellationToken).ConfigureAwait(false);
+        if (!ok)
+        {
+            throw new InvalidOperationException(
+                $"OPC UA application certificate validation failed for {_options.ApplicationName}. " +
+                $"Cert store root: {Path.GetFullPath(_options.PkiStoreRoot)}");
+        }
+    }
+
     private async Task<ApplicationConfiguration> BuildConfigurationAsync(CancellationToken ct)
     {
         if (!string.IsNullOrWhiteSpace(_options.ApplicationConfigPath))
@@ -92,10 +120,15 @@ public sealed class OpcUaApplicationHost : IAsyncDisposable
             },
             SecurityConfiguration = new SecurityConfiguration
             {
-                ApplicationCertificate = new CertificateIdentifier { StoreType = "Directory", StorePath = "pki/own", SubjectName = $"CN={_options.ApplicationName}" },
-                TrustedIssuerCertificates = new CertificateTrustList { StoreType = "Directory", StorePath = "pki/issuer" },
-                TrustedPeerCertificates = new CertificateTrustList { StoreType = "Directory", StorePath = "pki/trusted" },
-                RejectedCertificateStore = new CertificateTrustList { StoreType = "Directory", StorePath = "pki/rejected" },
+                ApplicationCertificate = new CertificateIdentifier
+                {
+                    StoreType = "Directory",
+                    StorePath = Path.Combine(_options.PkiStoreRoot, "own"),
+                    SubjectName = $"CN={_options.ApplicationName}",
+                },
+                TrustedIssuerCertificates = new CertificateTrustList { StoreType = "Directory", StorePath = Path.Combine(_options.PkiStoreRoot, "issuer") },
+                TrustedPeerCertificates = new CertificateTrustList { StoreType = "Directory", StorePath = Path.Combine(_options.PkiStoreRoot, "trusted") },
+                RejectedCertificateStore = new CertificateTrustList { StoreType = "Directory", StorePath = Path.Combine(_options.PkiStoreRoot, "rejected") },
                 AutoAcceptUntrustedCertificates = false,
             },
             TransportQuotas = new TransportQuotas(),