TLS / certificates

Certificates conforming to X.509 standard can be used to secure the corresponding MQTT connection to the broker.

TwinCAT configuration with certificates

For a TwinCAT router the paths to the X.509 certificates can be configured in the MQTT routes:

<?xml version="1.0" encoding="UTF-8"?>
<TcConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.beckhoff.com/schemas/2015/12/TcConfig">
<RemoteConnections>
  <Mqtt>
    <Address Port="8883">BROKER-ADDRESS</Address>
    <Topic>VirtualAmsNetwork1</Topic>
    <Tls>
      <Ca>C:\TwinCAT\3.1\Target\Certificates\CA.crt</Ca>
      <Cert>C:\TwinCAT\3.1\Target\Certificates\Device.crt</Cert>
      <Key>C:\TwinCAT\3.1\Target\Certificates\Device.key</Key>
    </Tls>
  </Mqtt>
</RemoteConnections>
</TcConfig>

In this case the corresponding paths to the files are entered in the element <Tls>. <Ca> is thereby the X.509 certificate of the Certificate Authority, i.e. the issuing body by whom certificates should be accepted.

The elements <Cert> and <Key> contain paths to the public and private key of the certificate to be used.

The host name of the broker ("BROKER ADDRESS") must match the Common Name of the certificate used. This is checked by the clients.
The Common Name of the client certificate is used as Identity in MQTT (and in TcMqtt.dll).

Minimal Mosquitto configuration

The following entries can be used as the simplest Mosquitto configuration for the use of certificates:

port 8883
cafile cert/CA.crt
certfile cert/Broker.crt
keyfile cert/Broker.key
require_certificate true
use_identity_as_username true
auth_plugin C:\TwinCAT\AdsApi\TcMqttPlugin\TcMqttPlugin.dll
auth_opt_xml_file ACLCerts.xml

Broker configuration with certificates

The identity used in the <Ams> elements to describe the AmsNetwork is defined via the CN of the certificate.

The Certificate Authority defines which certificates are granted access.

An additional configuration on the broker side is thus unnecessary.