Client/Server certificate

This section considers the case where both the client certificate and the server certificate are verified. The slightly modified communication flow (compared to the Server certificate chapter) is visualized in the following diagram. The individual steps of the TLS connection establishment are described in chapter Transport layer.

Application in TwinCAT

If a client certificate is used, in TwinCAT the file path (.PEM or .DER file) or the content of the .PEM file is passed as a string, just as for the CA certificate. TwinCAT as the client then presents this certificate to the server. For Certificate Verify the client's private key must also be referenced. Optionally, in the case of password protection for the private key, this password can also be transferred. The sample code refers to the HTTP client, the MQTT client and the WebSocket client. The HTTP client is used as an example.

PROGRAM MAIN
VAR
    fbClient : FB_IotHttpClient;
END_VAR

fbClient.stTLS.sCA:= 'C:\TwinCAT\3.1\Config\Certificates\someCA.pem';
fbClient.stTLS.sCert:= 'C:\TwinCAT\3.1\Config\Certificates\someCRT.pem';
fbClient.stTLS.sKeyFile:= 'C:\TwinCAT\3.1\Config\Certificates\someprivatekey.pem.key';
fbClient.stTLS.sKeyPwd:= 'yourkeyfilepasswordhere';

If a client certificate is set, a CA certificate must also be set to validate the server certificate. This is due to the behavior of the security framework used in the IoT driver.

If the validation of the server certificate is to be shutdown in this case, an additional flag can be set to skip the validation. However, it is not possible to omit the CA certificate.