This is not about creating a secure channel (sign and encrypt ) it is about User authentication. It appear that what is being reported is a problem with Authenticating a User using the X.509 certificate - most application use username/Password.

Our OPCUA server is for a specific client where authentication by usr/passwd is forbidden.
Our OPCUA server refuse authentication with usr/passwd.
Do we need to open authentication with usr/passwd ?

User Authentication can be accomplished by using Username/password, X509 certificates, or tokens (OAuth2 - JWT). The CTT currently tests User Authentication for Username/Password and for X509, it does not yet test for oAuth2/JWT. this still needs to be added and will be added under a different mantis issue. The tests for Username/Password and X509 work correctly and have not issues. This issue is about a Server that requires User Authentication when running. A number of test (not security related) do not work for using X509 user certificates for all connection to the Server.

A work around is to use UsernamePassword or Anonymous

The issue has been identified in the library script for activating a session.
If the Signature is not created directly in the test scripts (like it is done in the test cases that tests X509-Certificate-UserToken), the CTT always sent an empty Signature.

The creation of the Signature has been added to the library script, to ensure that a new Signature is created, if no Signature has been passed in.