PLS8-E: Client certificates for authentication against a server | Telit Cinterion IoT Developer Community
March 15, 2018 - 1:47pm, 2304 views
Hello,
we are using the PLS8-E in a product which is currently in developement. After stuying application note 62 (Transport Layer Security for Client TCP/IP Services), it is clear how to establish a TLS connection with server side certificates. However, we would also like to use client certificates, in order to authenticate our device (client) against the server. Although client certificates are mentioned in the application note, they seem to be used to protect the access to the (server) certificate store in the modles NVRAM.
So my question is: Is there any way to use two establish a TLS connection using mutual authentication (certificates on both sides, as mentioned here: https://en.wikipedia.org/wiki/Mutual_authentication) with the firmware of the PLS8-E? If not, are there alternatives? We want to avoid username/password based authentication.
Best regards,
Alex
Hi!
Which firmware version do you have? The 03.017 AT manual says:
AT^SNBR, page 473: "Certificate index 0...10 Index 0 is handled as client certificate (only 1 allowed).
Indexes from 1 to 10
are handled as server certificates.
Antero Markkula
Communication and Mechatronics
Enkom Active Oy – www.enkom-active.fi
Upseerinkatu 3 A, 02600 Espoo, Finland
Mobile: +358 400 411368
Office: +358 10 204 0000
Fax: +358 10 204 0010
E-mail: antero.markkula@enkom-active.fi
Hi! (was sent too early....)
AT^SNBW, page 480, "Certificate management for secure connection of client IP services..."
Best regards, Antero
Antero Markkula
Communication and Mechatronics
Enkom Active Oy – www.enkom-active.fi
Upseerinkatu 3 A, 02600 Espoo, Finland
Mobile: +358 400 411368
Office: +358 10 204 0000
Fax: +358 10 204 0010
E-mail: antero.markkula@enkom-active.fi
Hello Antero,
thanks for your answer. The "client certificate" you mentioned is what i referred to in my first post. Note the following quotes from application note 62.
So from my understanding, the "client certificate" is used only to protect access to the certificate store of the module, not to provide authentication with the backend. Or did i get this wrong?
Hello Alex,
The client certificate is used to protect access to the certificate store but no only:
AN62 page 32: "The module allows only secure commands with valid IMEI and signature. For using secure
commands the client certificate has to be written first and is always stored at index 0."
PLS8-E AT manual page 294:"Secure connection (TLS)
All services except Listener services support server and client authentication for Transport Layer Security (TLS)."
Best Regards,
Antero
Antero Markkula
Communication and Mechatronics
Enkom Active Oy – www.enkom-active.fi
Upseerinkatu 3 A, 02600 Espoo, Finland
Mobile: +358 400 411368
Office: +358 10 204 0000
Fax: +358 10 204 0010
E-mail: antero.markkula@enkom-active.fi
Hello,
As Antero has written PLS8 module supports supports server and client authentication (for all services except Listener services).
You need a server that requires client certificate - please see this https://test.mosquitto.org/ssl/
Regards,
Bartłomiej