Setting up client certificate authentication

  • You have established which of the authentication requirements apply to the target broker (see “Client certificate authentication”).

  • If the broker requires it, you have generated a device-specific client certificate, and submitted it for import into the broker’s Trust Store.

  • If the broker requires it, you have generated a device-specific client certificate and it has been signed by the broker’s trusted CA certificate. The certificate and CSR might be generated in Workbench using the Certificate Management Tool.

  • You are running Workbench on a PC and are connected to a controller station.

  • The broker generally presents its own certificate during the connection handshake. If this certificate is not signed by a well-established CA that is pre-existing in the station’s System Trust Store, perform one of the following:

    • Connect once to generate a warning in the station’s Certificate Manager Allowed Hosts tab. Review the entry and approve the certificate.

    • Pre-install the public certificate of either the broker’s TLS certificate or its CA certificate into the stations User Trust Store.

Importing the certificate
  1. After you have obtained your device-specific client certificate, download the certificate to your PC using a secure channel.
    Important: Always share certificates over a secure channel.
  2. In the station, expand Config > Services > PlatformServices and double-click CertManagerService.
    The Certificate Management view opens. Alternatively, you can access this view by expanding Platform and double-clicking Certificate Management.
  3. Click Import and navigate to where you saved the certificate.
  4. Select the desired certificate and click Open.
Setting up Mqtt Authenticator
  1. After you have imported your device-specific client certificate, from the abstractMqttDriver palette, drag the DefaultMqttDevice into an existing network under Config > Drivers > AbstractMqttDriverNetwork.
  2. If required by the broker, enter username and password. If not, change the Connection Type to Anonymous Over SSL.
    Note: Ensure that the Ssl version matches the minimum version required by your broker.
  3. Change the Use Tls Client Auth to true.
  4. Select the alias of the client certificate as imported earlier to the User Key Store, and enter a matching password.


    You are ready to connect your client to the broker.