How to connect event grid with self-signed certificates

Marcos Moraga 20 Reputation points
2024-05-30T23:10:06.52+00:00

Hello everyone,
I am trying to communicate with a Schneider PLC through Event Grid with an MQTT broker using self-signed certificates from Key Vault. I have uploaded certificates generated by Key Vault in .pem and .cer formats, but I receive an error: ‘certificate with incorrect format’. However, when I use certificates provided by the PLC, it works correctly. What could I be missing or where i can found this workflow with self-signed certificates

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,164 questions
Azure IoT
Azure IoT
A category of Azure services for internet of things devices.
390 questions
Azure Event Grid
Azure Event Grid
An Azure event routing service designed for high availability, consistent performance, and dynamic scale.
338 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sina Salam 5,716 Reputation points
    2024-05-31T10:46:45.2+00:00

    Hello Marcos Moraga,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Problem

    I understand that you are trying to set up secure communication between a Schneider PLC and an MQTT broker using self-signed certificates generated from Azure Key Vault. Also, you are running into a "certificate with incorrect format" error when using these self-signed certificates, despite the fact that certificates provided by the PLC work without any issues. You would like to know the correct steps to ensure that the certificates are properly configured and formatted so that they are accepted by both the PLC and the MQTT broker.

    Solution

    To solve the problem of establishing secure communication between a Schneider PLC and an MQTT broker using self-signed certificates generated by Azure Key Vault. The below are example of steps to ensure that the certificates are properly configured and formatted so that they are accepted by both the PLC and the MQTT broker.

    #To Generate Certificates in Azure Key Vault
    # Create a Key Vault
    az keyvault create --name <YourKeyVaultName> --resource-group <YourResourceGroup> --location <YourLocation>
    # Create a Certificate
    az keyvault certificate create --vault-name <YourKeyVaultName> --name <YourCertificateName> --policy "$(az keyvault certificate get-default-policy)"
    #Export Certificates from Key Vault
    #Export Certificate in PEM Format
     az keyvault secret download --vault-name <YourKeyVaultName> --name <YourCertificateName> --encoding base64 --file certificate.pem
    #Export Certificate in CER Format
       az keyvault certificate download --vault-name <YourKeyVaultName> --name <YourCertificateName> --file certificate.cer
    #Validate the Certificate Format
    #Check Certificate Details by using OpenSSL to validate the certificate:
       openssl x509 -in certificate.pem -text -noout
    # Convert .pem to .crt if Necessary
       openssl x509 -outform der -in certificate.pem -out certificate.crt
    

    After you've done the above, then place the PEM Certificate and Private Key.

    • To ensure the broker has access to the PEM certificate and private key. The private key can be obtained using Azure CLI if not already included in the PEM file.
    • Also, configure MQTT Broker to Use the Certificates. By update the broker's configuration to specify the paths to the PEM certificate and private key. This configuration might vary depending on the MQTT broker used (e.g., Mosquitto, HiveMQ). http://www.steves-internet-guide.com/mosquitto-tls/.

    At this stage, you will Configure the Schneider PLC.

    If using a CA, import the CA certificate into the PLC’s trusted store. If using a self-signed certificate, import the certificate directly. Schneider PLC typically uses its software interface for certificate management. You will need to follow the PLC’s documentation for importing certificates. You can also use this links:

    Finally

    Ensure the entire certificate chain is present in the PEM file if intermediate certificates are used.

    • Verify the key usage and extended key usage extensions are appropriate. This can be checked using OpenSSL:
        openssl x509 -in certificate.pem -text -noout | grep "X509v3 Key Usage" -A 1
    
    • Ensure the CN and SAN fields match the expected hostname or IP address.

    References

    For all the above and more steps, kindly use the following resources:

    Source: Uploading Private SSL Certificates - Schneider Electric Community Accessed, 5/31/2024.

    Source: Product Documentation & Software downloads. Accessed, 5/31/2024.

    Source: Product Certification | Schneider Electric USA. Accessed, 5/31/2024.

    Source: Mosquitto MQTT Broker SSL Configuration Using Own Certificates. Accessed, 5/31/2024.

    Source: Tutorial - How to Set Up a Mosquitto MQTT Broker Securely. Accessed, 5/31/2024.

    Source: Quick Guide to The Mosquitto.conf File With Examples.Accessed, 5/31/2024.

    Source: Azure Event Grid Namespace MQTT client authentication using certificate chain - Azure Event Grid. Accessed, 5/31/2024.

    Source: Azure Event Grid MQTT client certificate authentication - Azure Event Grid. Accessed, 5/31/2024.

    Accept Answer

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    ** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

    Best Regards,

    Sina Salam