![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 66%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,309 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Marcos Moraga,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
Problem
I understand that you are trying to set up secure communication between a Schneider PLC and an MQTT broker using self-signed certificates generated from Azure Key Vault. Also, you are running into a "certificate with incorrect format" error when using these self-signed certificates, despite the fact that certificates provided by the PLC work without any issues. You would like to know the correct steps to ensure that the certificates are properly configured and formatted so that they are accepted by both the PLC and the MQTT broker.
Solution
To solve the problem of establishing secure communication between a Schneider PLC and an MQTT broker using self-signed certificates generated by Azure Key Vault. The below are example of steps to ensure that the certificates are properly configured and formatted so that they are accepted by both the PLC and the MQTT broker.
#To Generate Certificates in Azure Key Vault
# Create a Key Vault
az keyvault create --name <YourKeyVaultName> --resource-group <YourResourceGroup> --location <YourLocation>
# Create a Certificate
az keyvault certificate create --vault-name <YourKeyVaultName> --name <YourCertificateName> --policy "$(az keyvault certificate get-default-policy)"
#Export Certificates from Key Vault
#Export Certificate in PEM Format
az keyvault secret download --vault-name <YourKeyVaultName> --name <YourCertificateName> --encoding base64 --file certificate.pem
#Export Certificate in CER Format
az keyvault certificate download --vault-name <YourKeyVaultName> --name <YourCertificateName> --file certificate.cer
#Validate the Certificate Format
#Check Certificate Details by using OpenSSL to validate the certificate:
openssl x509 -in certificate.pem -text -noout
# Convert .pem to .crt if Necessary
openssl x509 -outform der -in certificate.pem -out certificate.crt
After you've done the above, then place the PEM Certificate and Private Key.
- To ensure the broker has access to the PEM certificate and private key. The private key can be obtained using Azure CLI if not already included in the PEM file.
- Also, configure MQTT Broker to Use the Certificates. By update the broker's configuration to specify the paths to the PEM certificate and private key. This configuration might vary depending on the MQTT broker used (e.g., Mosquitto, HiveMQ). http://www.steves-internet-guide.com/mosquitto-tls/.
At this stage, you will Configure the Schneider PLC.
If using a CA, import the CA certificate into the PLC’s trusted store. If using a self-signed certificate, import the certificate directly. Schneider PLC typically uses its software interface for certificate management. You will need to follow the PLC’s documentation for importing certificates. You can also use this links:
- Uploading Private SSL Certificates - Schneider Electric Community: https://community.se.com/t5/APC-UPS-Data-Center-Enterprise/Uploading-Private-SSL-Certificates/td-p/336853.
- Product Documentation & Software downloads: https://www.se.com/ww/en/download/.
- Product Certification | Schneider Electric USA.: https://www.se.com/us/en/work/support/resources-and-tools/product-certification.jsp.
Finally
Ensure the entire certificate chain is present in the PEM file if intermediate certificates are used.
- Verify the key usage and extended key usage extensions are appropriate. This can be checked using OpenSSL:
openssl x509 -in certificate.pem -text -noout | grep "X509v3 Key Usage" -A 1
- Ensure the CN and SAN fields match the expected hostname or IP address.
References
For all the above and more steps, kindly use the following resources:
Source: Uploading Private SSL Certificates - Schneider Electric Community Accessed, 5/31/2024.
Source: Product Documentation & Software downloads. Accessed, 5/31/2024.
Source: Product Certification | Schneider Electric USA. Accessed, 5/31/2024.
Source: Mosquitto MQTT Broker SSL Configuration Using Own Certificates. Accessed, 5/31/2024.
Source: Tutorial - How to Set Up a Mosquitto MQTT Broker Securely. Accessed, 5/31/2024.
Source: Quick Guide to The Mosquitto.conf File With Examples.Accessed, 5/31/2024.
Source: Azure Event Grid Namespace MQTT client authentication using certificate chain - Azure Event Grid. Accessed, 5/31/2024.
Source: Azure Event Grid MQTT client certificate authentication - Azure Event Grid. Accessed, 5/31/2024.
Accept Answer
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.
Best Regards,
Sina Salam