Okay.
Well, you need to make sure Ignition’s client certificate is trusted in KSE.
You also need to make sure KSE’s server certificate is trusted in Ignition. It’s on the gateway under Configure > OPC UA > Security. Then go to the Client tab and you should see the KSE server certificate there with a button to mark it as trusted.
Then, after all this, there’s a possibility you’re running a version of KSE with a bug that generates invalid application URIs in the certificate. This manifests as a Bad_CertificateUriInvalid error, the same as described in this post. If this is happening you need to upgrade KSE to a 6.1+ version and generate the certificate.