Certificates - MQTT IOT libary
Hi everybody,
Have three question regarding certificates in the 2152 controller.
For the MQTT IIOT libary I want to use server certificates.
For this I received three certificates in .pem format from the broker.
- CA server certificate
- client certificate
- private key (encrypted)
I cannot add the client certificate to the identity store, but into trust store it works.
Q: Do all these three certificates have to be placed in the TRUST store?
I can load the CA and client certificate in trust store, but when I load the private key I`ll get the message: "Unknown Error occurred" and I see the following message in the log:
"Failed to add list of type TrustList for Trust Store MQTT. Error: DecodeError, SubjectUndefined. Validity: Undefined"
Q: Is this because the encryption or undefined subject and validity?
In the mqtt connect option fb i`ll have to assign the path of the certificates.
When I look in the folders of the PLC I don't see the .pem filename but a long code with the .der extension.
Q: When configure connect options, do I have to enter the file name in the PLC as ".pem" or as ".der"?
/opt/plcnext/Security/TrustStores/MQTT/trusted/filename.pem or;
/opt/plcnext/Security/TrustStores/MQTT/trusted/abcd1234.der
Comments
Q: Do all these three certificates have to be placed in the TRUST store?
A: No, certificates and keys that identify the controller have to be placed in the Identity Store and certificates that identify trusted remote partners should be placed in the Trust Store.
Certificates placed in the Trust Store can be either a trusted certificate of a single remote communication partner (Select Certificate Type: Trusted Certificate when uploading) or can be the certificate of an (intermediate) root CA that has been used to sign the certificate of the remote partner (Select Certificate Type: Issuer Certificate when uploading). Uploading an Issuer Certificate can be beneficial if you want to communicate to multiple remote partners without having to add every single partner specifically.
Q: Is this because the encryption or undefined subject and validity?
A key is not a certificate, it has no validity or subject (which a certificate does have).
Only the certificates of trusted remote partners should be added to the Trust Store.
The client key + certificate should be added to a new store in the Identity Store tab. (in XCA export the certificate in "PEM + key (*.pem)" format, so both are available in one file). After this the new store will show with invalid certificate. Edit the Certificate line and upload the same file .
Q: When configure connect options, do I have to enter the file name in the PLC as ".pem" or as ".der"?
PEM files are BASE64 encoded ASCII files, der files are binary encoded which the IIOT_Library cannot decode. So you'll have to use the PEM files.
Next to that, the amount of characters in the configuration string is limited to 80, so storing the files in a folder with a long name (or a long filename) will not work.
And to make things even more easy (or confusing) you're not forced to use the WBM certificate Authentication page to upload the certificates and keys at all.
So it's easier to just use your favorite SFTP program to store the certificate and key files on the controller in a folder like /opt/plcnext/mycerts and reference those files in the IIOT library config. This way you're not getting sidetracked by all WBM options and it also keeps the folder name short so you don't run into problems with the limited string size in the SSLConfig datatype.