Allow non OPC-UA conform SubjectName values to AddSecurityConfigurationStores

[mrsuciu]

Proposed changes

When a certificate SubjectName is provided in a non OPC-UA accepted format (simple-string with no CN and O attributes) as input to AddSecurityConfigurationStores(), in the context of an ApplicationInstance certificate creation, the created certificate's SubjectName is populated with a default CN=simple-string and omits the O attribute (which it should also include).
A subsequent public static X509Certificate2 Find() call, in the context of an additional ApplicationInstance certificate creation, taking as input a SubjectName that is a substring of the previously created certificate with CN=simple-string, would match the previously created application certificate and throw due to a call to X509Certificate2Collection.Find(X509FindType.FindBySubjectName, subjectName, false) that seams to perform a FuzzySearch on the collection.

This PR attempts to remedy the above miss-behavior even in this special case were the provided SubjectName is not in the OPC-UA accepted format and does not contain the CN and O attributes.

Related Issues

• Fixes AddSecurityConfigurationStores appears to work like "string.Contains()" instead of searching for exact matches #3216

Types of changes

What types of changes does your code introduce?
Put an x in the boxes that apply. You can also fill these out after creating the PR.

• Bugfix (non-breaking change which fixes an issue)
• Enhancement (non-breaking change which adds functionality)
• Test enhancement (non-breaking change to increase test coverage)
• Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
• Documentation Update (if none of the other choices apply)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

• I have read the CONTRIBUTING doc.
• I have signed the CLA.
• I ran tests locally with my changes, all passed.
• I fixed all failing tests in the CI pipelines.
• I fixed all introduced issues with CodeQL and LGTM.
• I have added tests that prove my fix is effective or that my feature works and increased code coverage.
• I have added necessary documentation (if appropriate).
• Any dependent changes have been merged and published in downstream modules.

Further comments

If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...

[codecov]

Codecov Report

❌ Patch coverage is 81.81818% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.87%. Comparing base (8e7a73c) to head (a8f75a9).
⚠️ Report is 16 commits behind head on master.

Files with missing lines	Patch %	Lines
...ore/Security/Certificates/CertificateIdentifier.cs	83.72%	4 Missing and 10 partials ⚠️
...a.Core/Security/Certificates/CertificateFactory.cs	0.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3229      +/-   ##
==========================================
+ Coverage   57.59%   57.87%   +0.27%     
==========================================
  Files         361      365       +4     
  Lines       79152    79506     +354     
  Branches    13814    13900      +86     
==========================================
+ Hits        45587    46011     +424     
+ Misses      29336    29323      -13     
+ Partials     4229     4172      -57     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull Request Overview

This PR fixes an issue where certificates with non-OPC-UA conform SubjectName values (simple strings without CN and O attributes) could cause matching problems when creating multiple ApplicationInstance certificates. The fix ensures proper certificate matching and selection even when SubjectName formats are non-standard.

• Improved certificate matching logic to handle both CN-prefixed and non-CN SubjectNames differently
• Enhanced certificate selection to prioritize CA-signed certificates and use duration-based selection for duplicates
• Added default O attribute ("OPC Foundation") when creating certificates without organization information

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
CertificateIdentifier.cs	Enhanced Find method with better matching logic and longest duration selection algorithm
CertificateFactory.cs	Added default O attribute injection for certificates missing organization info
CertificateStoreTest.cs	Added comprehensive test coverage for certificate finding scenarios
ApplicationInstanceTests.cs	Added test for handling SubjectName substring matching edge cases
CertificateValidatorTest.cs	Updated test assertions to expect O attribute in certificate subjects

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[mrsuciu]

@romanett I have added comments and tried to clarify the picking algorithm. During this I reached 6 criteria of selection. I am sure this is not exhaustive and better criteria can be added but I think the fewer the better.
Please review and feedback.