OPCFoundation · marcschier · Nov 15, 2025 · Nov 13, 2025 · Nov 14, 2025 · Nov 14, 2025
diff --git a/Applications/Quickstarts.Servers/ReferenceServer/ReferenceServer.cs b/Applications/Quickstarts.Servers/ReferenceServer/ReferenceServer.cs
@@ -405,11 +405,11 @@ private void VerifyX509IdentityToken(X509IdentityToken token)
             {
                 if (m_userCertificateValidator != null)
                 {
-                    m_userCertificateValidator.Validate(certificate);
+                    m_userCertificateValidator.ValidateAsync(certificate, default).GetAwaiter().GetResult();
                 }
                 else
                 {
-                    CertificateValidator.Validate(certificate);
+                    CertificateValidator.ValidateAsync(certificate, default).GetAwaiter().GetResult();
                 }
             }
             catch (Exception e)

diff --git a/Libraries/Opc.Ua.Client/Session/Session.cs b/Libraries/Opc.Ua.Client/Session/Session.cs
@@ -1455,7 +1455,7 @@ public async Task UpdateSessionAsync(
                 requireEncryption &&
                 identity.TokenType != UserTokenType.Anonymous)
             {
-                m_configuration.CertificateValidator.Validate(m_serverCertificate);
+                await m_configuration.CertificateValidator.ValidateAsync(m_serverCertificate, ct).ConfigureAwait(false);
             }
 
             // validate server nonce and security parameters for user identity.

diff --git a/Libraries/Opc.Ua.Gds.Server.Common/GlobalDiscoverySampleServer.cs b/Libraries/Opc.Ua.Gds.Server.Common/GlobalDiscoverySampleServer.cs
@@ -296,7 +296,7 @@ private void VerifyX509IdentityToken(X509IdentityToken token)
             X509Certificate2 certificate = token.GetOrCreateCertificate(MessageContext.Telemetry);
             try
             {
-                CertificateValidator.Validate(certificate);
+                CertificateValidator.ValidateAsync(certificate, default).GetAwaiter().GetResult();
             }
             catch (Exception e)
             {

diff --git a/Libraries/Opc.Ua.PubSub/Transport/MqttPubSubConnection.cs b/Libraries/Opc.Ua.PubSub/Transport/MqttPubSubConnection.cs
@@ -789,7 +789,7 @@ private MqttClientOptions GetMqttClientOptions()
                 UrlScheme = connectionUri.Scheme;
             }
 
-            MqttClientProtocolConfiguration transportProtocolConfiguration =
+            var transportProtocolConfiguration =
                 new MqttClientProtocolConfiguration(PubSubConnectionConfiguration.ConnectionProperties, m_logger);
 
             var mqttProtocolVersion = (MqttProtocolVersion)
@@ -940,7 +940,7 @@ private bool ValidateBrokerCertificate(MqttClientCertificateValidationEventArgs
                     return Application.OnValidateBrokerCertificate(brokerCertificate);
                 }
 
-                m_certificateValidator?.Validate(brokerCertificate);
+                m_certificateValidator?.ValidateAsync(brokerCertificate, default).GetAwaiter().GetResult();
             }
             catch (Exception ex)
             {

diff --git a/Libraries/Opc.Ua.Server/Configuration/ConfigurationNodeManager.cs b/Libraries/Opc.Ua.Server/Configuration/ConfigurationNodeManager.cs
@@ -577,7 +577,7 @@ private async ValueTask<UpdateCertificateMethodStateResult> UpdateCertificateAsy
                         }
                         issuerStore.TrustedCertificates = issuerCollection;
                         certValidator.Update(issuerStore, issuerStore, null);
-                        certValidator.Validate(newCert);
+                        await certValidator.ValidateAsync(newCert, ct).ConfigureAwait(false);
                     }
                     catch (Exception ex)
                     {

diff --git a/Libraries/Opc.Ua.Server/Server/StandardServer.cs b/Libraries/Opc.Ua.Server/Server/StandardServer.cs
@@ -334,10 +334,10 @@ public override async Task<CreateSessionResponse> CreateSessionAsync(
             uint maxResponseMessageSize,
             CancellationToken ct)
         {
-            NodeId sessionId = 0;
-            NodeId authenticationToken = null;
+            NodeId sessionId;
+            NodeId authenticationToken;
             double revisedSessionTimeout = 0;
-            byte[] serverNonce = null;
+            byte[] serverNonce;
             byte[] serverCertificate = null;
             EndpointDescriptionCollection serverEndpoints = null;
             SignedSoftwareCertificateCollection serverSoftwareCertificates = null;
@@ -407,7 +407,7 @@ X509Certificate2Collection clientCertificateChain
                                         clientDescription.ApplicationUri);
                                 }
 
-                                CertificateValidator.Validate(clientCertificateChain);
+                                await CertificateValidator.ValidateAsync(clientCertificateChain, ct).ConfigureAwait(false);
                             }
                         }
                     }
@@ -711,7 +711,7 @@ public override async Task<ActivateSessionResponse> ActivateSessionAsync(
             SignatureData userTokenSignature,
             CancellationToken ct)
         {
-            byte[] serverNonce = null;
+            byte[] serverNonce;
             StatusCodeCollection results = null;
             DiagnosticInfoCollection diagnosticInfos = null;
 
@@ -2515,11 +2515,8 @@ private async void OnRegisterServerAsync(object state)
                 lock (m_registrationLock)
                 {
                     // halt any outstanding timer.
-                    if (m_registrationTimer != null)
-                    {
-                        m_registrationTimer.Dispose();
-                        m_registrationTimer = null;
-                    }
+                    m_registrationTimer?.Dispose();
+                    m_registrationTimer = null;
                 }
 
                 if (await RegisterWithDiscoveryServerAsync().ConfigureAwait(false))
@@ -3130,11 +3127,10 @@ await masterNodeManager.StartupAsync(cancellationToken)
                 m_serverInternal.SetAggregateManager(
                     CreateAggregateManager(m_serverInternal, configuration));
 
-                    // create the manager responsible for modelling rules.
-                    m_logger.LogInformation(Utils.TraceMasks.StartStop, "Server - CreateModellingRulesManager.");
-                    m_serverInternal.SetModellingRulesManager(
-                        CreateModellingRulesManager(m_serverInternal, configuration));
-
+                // create the manager responsible for modelling rules.
+                m_logger.LogInformation(Utils.TraceMasks.StartStop, "Server - CreateModellingRulesManager.");
+                m_serverInternal.SetModellingRulesManager(
+                    CreateModellingRulesManager(m_serverInternal, configuration));
 
                 // start the session manager.
                 m_logger.LogInformation(Utils.TraceMasks.StartStop, "Server - CreateSessionManager.");
@@ -3241,11 +3237,8 @@ IMonitoredItemQueueFactory monitoredItemQueueFactory
                     m_lastRegistrationInterval = m_minRegistrationInterval;
 
                     // start registration timer.
-                    if (m_registrationTimer != null)
-                    {
-                        m_registrationTimer.Dispose();
-                        m_registrationTimer = null;
-                    }
+                    m_registrationTimer?.Dispose();
+                    m_registrationTimer = null;
 
                     if (m_maxRegistrationInterval > 0)
                     {
@@ -3303,11 +3296,8 @@ protected override async ValueTask OnServerStoppingAsync(CancellationToken cance
             // halt any outstanding timer.
             lock (m_registrationLock)
             {
-                if (m_registrationTimer != null)
-                {
-                    m_registrationTimer.Dispose();
-                    m_registrationTimer = null;
-                }
+                m_registrationTimer?.Dispose();
+                m_registrationTimer = null;
             }
 
             // attempt graceful shutdown the server.

diff --git a/Stack/Opc.Ua.Bindings.Https/Stack/Https/HttpsTransportListener.cs b/Stack/Opc.Ua.Bindings.Https/Stack/Https/HttpsTransportListener.cs
@@ -259,7 +259,7 @@ public void Start()
             m_host = new HostBuilder()
                 .ConfigureWebHostDefaults(ConfigureWebHost)
                 .Build();
-            m_host.StartAsync(CancellationToken.None).GetAwaiter().GetResult();     
+            m_host.StartAsync(CancellationToken.None).GetAwaiter().GetResult();
 #else
             var hostBuilder = new WebHostBuilder();
             ConfigureWebHost(hostBuilder);
@@ -577,7 +577,7 @@ private bool ValidateClientCertificate(
 
             try
             {
-                m_quotas.CertificateValidator.Validate(clientCertificate);
+                m_quotas.CertificateValidator.ValidateAsync(clientCertificate, default).GetAwaiter().GetResult();
             }
             catch (Exception)
             {

diff --git a/Stack/Opc.Ua.Core/Security/Certificates/CertificateValidator.cs b/Stack/Opc.Ua.Core/Security/Certificates/CertificateValidator.cs
@@ -497,29 +497,6 @@ public int MaxRejectedCertificates
             }
         }
 
-        /// <summary>
-        /// Validates the specified certificate against the trust list.
-        /// </summary>
-        /// <param name="certificate">The certificate.</param>
-        public void Validate(X509Certificate2 certificate)
-        {
-            Validate([certificate]);
-        }
-
-        /// <summary>
-        /// Validates a certificate.
-        /// </summary>
-        /// <remarks>
-        /// Each UA application may have a list of trusted certificates that is different from
-        /// all other UA applications that may be running on the same machine. As a result, the
-        /// certificate validator cannot rely completely on the Windows certificate store and
-        /// user or machine specific CTLs (certificate trust lists).
-        /// </remarks>
-        public virtual void Validate(X509Certificate2Collection certificateChain)
-        {
-            Validate(certificateChain, null);
-        }
-
         /// <inheritdoc/>
         public Task ValidateAsync(X509Certificate2 certificate, CancellationToken ct)
         {
@@ -590,8 +567,8 @@ public virtual async Task ValidateAsync(
 
         /// <summary>
         /// Validates a certificate with domain validation check.
-        /// <see cref="Validate(X509Certificate2Collection)"/>
         /// </summary>
+        [Obsolete("Use ValidateAsync")]
         public virtual void Validate(X509Certificate2Collection chain, ConfiguredEndpoint endpoint)
         {
             X509Certificate2 certificate = chain[0];
@@ -754,10 +731,7 @@ public async Task<bool> GetIssuersNoExceptionsOnGetIssuerAsync(
 
                 if (issuer != null)
                 {
-                    if (validationErrors != null)
-                    {
-                        validationErrors[certificate] = revocationStatus;
-                    }
+                    validationErrors?[certificate] = revocationStatus;
 
                     if (issuers.Find(iss =>
                             string.Equals(

diff --git a/Stack/Opc.Ua.Core/Security/Certificates/CertificateValidatorObsolete.cs b/Stack/Opc.Ua.Core/Security/Certificates/CertificateValidatorObsolete.cs
@@ -0,0 +1,42 @@
+/* Copyright (c) 1996-2022 The OPC Foundation. All rights reserved.
+   The source code in this file is covered under a dual-license scenario:
+     - RCL: for OPC Foundation Corporate Members in good-standing
+     - GPL V2: everybody else
+   RCL license terms accompanied with this source code. See http://opcfoundation.org/License/RCL/1.00/
+   GNU General Public License as published by the Free Software Foundation;
+   version 2 of the License are accompanied with this source code. See http://opcfoundation.org/License/GPLv2
+   This source code is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+*/
+
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading;
+
+namespace Opc.Ua
+{
+    /// <summary>
+    /// Extension methods for ICertificateValidator.
+    /// </summary>
+    public static class CertificateValidatorObsolete
+    {
+        /// <summary>
+        /// Validates a certificate.
+        /// </summary>
+        [Obsolete("Use ValidateAsync")]
+        public static void Validate(this ICertificateValidator validator, X509Certificate2 certificate)
+        {
+            validator.ValidateAsync(certificate, CancellationToken.None).GetAwaiter().GetResult();
+        }
+
+        /// <summary>
+        /// Validates a certificate chain.
+        /// </summary>
+        [Obsolete("Use ValidateAsync")]
+        public static void Validate(this ICertificateValidator validator, X509Certificate2Collection certificateChain)
+        {
+            validator.ValidateAsync(certificateChain, CancellationToken.None).GetAwaiter().GetResult();
+        }
+    }
+}
diff --git a/Stack/Opc.Ua.Core/Security/Certificates/EccUtils.cs b/Stack/Opc.Ua.Core/Security/Certificates/EccUtils.cs
@@ -1120,7 +1120,7 @@ private ArraySegment<byte> VerifyHeaderForEcc(
                 }
 
                 // validate the sender.
-                Validator?.Validate(senderCertificateChain);
+                Validator?.ValidateAsync(senderCertificateChain, default).GetAwaiter().GetResult();
             }
 
             // extract the send certificate and any chain.

diff --git a/Stack/Opc.Ua.Core/Security/Certificates/ICertificateValidator.cs b/Stack/Opc.Ua.Core/Security/Certificates/ICertificateValidator.cs
@@ -21,16 +21,6 @@ namespace Opc.Ua
     /// </summary>
     public interface ICertificateValidator
     {
-        /// <summary>
-        /// Validates a certificate.
-        /// </summary>
-        void Validate(X509Certificate2 certificate);
-
-        /// <summary>
-        /// Validates a certificate chain.
-        /// </summary>
-        void Validate(X509Certificate2Collection certificateChain);
-
         /// <summary>
         /// Validates a certificate.
         /// </summary>