The UA security concept is explained in the document The OPC UA Security Model for Administrators v1.00.pdf This document is included in the uaPLUS server toolkit distribution.

The UA security bases on X509 Certificates.
Each UA server and client application requires a certificate with the ApplicationUri of the application. UA servers typically can be configured for the certificate validation to be disabled. In this mode any proper certificate is accepted. It doesn't have to match the application.

Self-signed certificates can be created with the uaPLUS UaClientConfigHelper utility.
uaPLUS maintains certificates in the Windows Certificates Store.
The certificates are by default in the stores LocalMachine\UA Applications and LocalMachine\Trusted UA Applications
The stores are defined in the application UA configuration and can be changed if necessary.

The UaServerConfigHelper utility creates and imports certificates into the stores defined in the configuration.
With the server and client on the same machine the certificates are in the right place when created or imported with the Advosol UaServerConfigHelper and UaClientConfigHelper utilities.

With server and client on different machine the following steps are required:

1. On the server machine create a certificate for the server. UaClientConfigHelper automatically exports created certificates into a .DER (or .CER)  file in the directory of this utility.
2. Copy the client certificate .DER file to the server machine and import it with the UaServerConfigHelper utility.
3. Copy the server .DER certificate file to the client machine and import it. The location depends on the client application. For Advosol UA client applications the UaClientConfigHelper utility imports the certificate to the proper location.

The Windows Certificates manager can be used to check and maintain the certificates beyond the capabilities of the UaServerConfigHelper utility.