feat(opcua): F13a — cert auto-creation in OpcUaApplicationHost

Adds OPC UA SDK's CheckApplicationInstanceCertificate call to
OpcUaApplicationHost.StartAsync, removing the v1 friction of needing to
pre-create the PKI directory tree before booting.

- New OpcUaApplicationHostOptions.PkiStoreRoot (defaults to "pki")
- BuildConfigurationAsync now derives own/issuer/trusted/rejected from
  PkiStoreRoot so the cert paths are configurable + consistent
- EnsureApplicationCertificateAsync runs before StandardServer.Start, and
  fails fast with a clear message if the SDK can't produce a valid cert
- 2 new tests: fresh-tree creates a cert, second boot reuses it

Partial slice of follow-up F13. Endpoint-security, user-token validator,
and observability wiring still pending in the F13 follow-up. OpcUaServer
tests: 4 → 6.

tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests/OpcUaApplicationHostTests.cs

@@ -0,0 +1,100 @@
+using Microsoft.Extensions.Logging.Abstractions;
+using Opc.Ua.Server;
+using Shouldly;
+using Xunit;
+
+namespace ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests;
+
+/// <summary>
+/// Verifies the F13a cert auto-creation slice of <see cref="OpcUaApplicationHost"/>: the SDK
+/// self-signs a certificate into <c>{PkiStoreRoot}/own/certs/</c> on first boot against a
+/// fresh PKI tree, and the file persists for reuse on the next boot.
+/// </summary>
+public sealed class OpcUaApplicationHostTests : IDisposable
+{
+    private static CancellationToken Ct => TestContext.Current.CancellationToken;
+
+    private readonly string _pkiRoot = Path.Combine(
+        Path.GetTempPath(),
+        $"otopcua-pki-{Guid.NewGuid():N}");
+
+    [Fact]
+    public async Task StartAsync_creates_application_certificate_in_pki_own()
+    {
+        await using var host = new OpcUaApplicationHost(
+            new OpcUaApplicationHostOptions
+            {
+                ApplicationName = "OtOpcUa.Test",
+                ApplicationUri = $"urn:OtOpcUa.Test:{Guid.NewGuid():N}",
+                OpcUaPort = AllocateFreePort(),
+                PublicHostname = "localhost",
+                PkiStoreRoot = _pkiRoot,
+            },
+            NullLogger<OpcUaApplicationHost>.Instance);
+
+        await host.StartAsync(new StandardServer(), Ct);
+
+        var ownCerts = Path.Combine(_pkiRoot, "own", "certs");
+        Directory.Exists(ownCerts).ShouldBeTrue($"expected SDK to create {ownCerts}");
+        Directory.EnumerateFiles(ownCerts).ShouldNotBeEmpty("expected a self-signed cert file in the own store");
+    }
+
+    [Fact]
+    public async Task StartAsync_reuses_existing_certificate_on_second_boot()
+    {
+        var port1 = AllocateFreePort();
+        await using (var first = new OpcUaApplicationHost(
+            new OpcUaApplicationHostOptions
+            {
+                ApplicationName = "OtOpcUa.Reuse",
+                ApplicationUri = "urn:OtOpcUa.Reuse",
+                OpcUaPort = port1,
+                PublicHostname = "localhost",
+                PkiStoreRoot = _pkiRoot,
+            },
+            NullLogger<OpcUaApplicationHost>.Instance))
+        {
+            await first.StartAsync(new StandardServer(), Ct);
+        }
+
+        var ownCerts = Path.Combine(_pkiRoot, "own", "certs");
+        var firstFiles = Directory.GetFiles(ownCerts).OrderBy(f => f).ToArray();
+        firstFiles.ShouldNotBeEmpty();
+
+        var port2 = AllocateFreePort();
+        await using (var second = new OpcUaApplicationHost(
+            new OpcUaApplicationHostOptions
+            {
+                ApplicationName = "OtOpcUa.Reuse",
+                ApplicationUri = "urn:OtOpcUa.Reuse",
+                OpcUaPort = port2,
+                PublicHostname = "localhost",
+                PkiStoreRoot = _pkiRoot,
+            },
+            NullLogger<OpcUaApplicationHost>.Instance))
+        {
+            await second.StartAsync(new StandardServer(), Ct);
+        }
+
+        var secondFiles = Directory.GetFiles(ownCerts).OrderBy(f => f).ToArray();
+        secondFiles.ShouldBe(firstFiles, "expected the second boot to reuse the cert from the first, not create a new one");
+    }
+
+    private static int AllocateFreePort()
+    {
+        using var listener = new System.Net.Sockets.TcpListener(System.Net.IPAddress.Loopback, 0);
+        listener.Start();
+        var port = ((System.Net.IPEndPoint)listener.LocalEndpoint).Port;
+        listener.Stop();
+        return port;
+    }
+
+    public void Dispose()
+    {
+        if (Directory.Exists(_pkiRoot))
+        {
+            try { Directory.Delete(_pkiRoot, recursive: true); }
+            catch { /* best-effort cleanup */ }
+        }
+    }
+}

tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests.csproj

@@ -15,6 +15,7 @@
             <PrivateAssets>all</PrivateAssets>
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
+        <PackageReference Include="Microsoft.Extensions.Logging.Abstractions"/>
     </ItemGroup>
 
     <ItemGroup>