I have a question related to UaGDS and devices implementing 10000-21 for onboarding of devices.
I (we) are currently in the process of implementing support for GDS Push in our OPC UA server (embedded device). Our plan is to load an IDevId certificate in production signed by our own CA so that our customers can validate the authenticity of our device.
While testing this with UaGDS we get error for BadCertificateHostNameInvalid:
https://imgur.com/dZiK5uG:

This is because the IDevID certificate does not include subjectAltName field for iPAddress, as this cannot be known at the time of manufacturing. We also don't want to generate a self signed certificate with this data as that defeats the purpose of having the IDevId in the first place.
I tried disabling this check in the UaGDS settings (and disabled all other checks as well), but I could not get it to work with this setting. In particular: General.DisableError.CertificateHostNameInvalid is set to true.
https://imgur.com/AMW9Tk9:

If we add the used iPAddress to the IDevId certificate ourselves, then the connection can be established.
From OPC UA 10000-21 chapter 7.2:
Registrars shall not accept Devices they do not trust. The steps to determine trust are:
1) Read all DeviceIdentity Certificates from the Device;
2) Locate a Ticket that has a ProductInstanceUri that matches one or more DeviceIdentity Certificates;
3) Validate the Ticket if it has not already been validated (see 6.4);
4) Select and Validate DeviceIdentity Certificate that matches the Ticket;
5) Establish a secure connection to the Device using the selected DeviceIdentity Certificate.
6) Issue a DCA Application Instance Certificate to the Device that indicates that it has been authenticated.
So my assumption is that IDevId certificate is ok to use, the GDS should accept this certificate, and then the device will add all required fields to the CSR, so that after that the new certificate is a valid Application Instance Certificate according to 10000-6. This also includes for example setting the uniformResourceIdentifier in subjectAltName from "ProductInstanceUri" to "ApplicationUri".