OPC UA User Security question from a beginner |OPC UA Implementation: Stacks, Tools, and Samples|Forum|OPC Foundation

We're introducing OPC UA to our site.  We have a simple OPC UA server and OPC UA client.  

The OPC UA Server (Matrikon OPC UA Tunneller) and the test client we're using (Prosys OPC UA Client) where simple to set up.

The Transport Security is set to Sign & Encrpy on both sides.  No issues with that.

The Application Security was also easy - the OPC UA client attempted to connect and subsequently failed - however, the OPC UA server configuration software detected the client attempting to connect and allowed me to move the client certificate from the rejected store to the trusted store.  Once that was done, the OPC UA client connected.  

For the User Security component - when using 'Anonymous or Username/Passwords - there are no problems connecting.  

Where I am having difficulty in understanding is the User Security component when attempting to use Certificates and Private Keys.  My initial questions are:

1. How do I generate this certificate and public key? 
2. Should we just use Username/Passwords for User Security?
3. Where can I find the OPC Configuration Tool?  It seems to be referenced a lot, but I can't find the actual tool to download.

I did find the Opc.Ua.CertificateGenerator.exe tool on the OPC UA server.  In command prompt, I used the following parameters. 

Opc.Ua.CertificateGenerator.exe -cmd issue -sp . -an OPCTEST-o MyCompany -pw password -pem true,

This generated the type of files that seemed to be recognised on the OPC UA Client interface (.der for the certificate and .pem for the private key).  However, when using the password, the Client produced an error when trying to read the private key (possibly just a bug with the OPC UA client?)

Am I on the right track here?  Am I over thinking this?  Note: The data is important to our operation, and as we will be allowing data to be written to the control system, we want to make this as secure as possible.