Hi all,
I have recently faced a small challenge of generating X.509 certificates for MQTT communication between PFC controller and Azure IoT Hub. Port 1883 and regular comms cannot be used with Azure - it requires a use of TLS/SSL and port 8883 (There is also an option to use web sockets, but I haven’t covered it here).
Because of the above, and our customers requirement, we have configured a TLS with device being authenticated through CA. As I couldn’t find any article on it, I am sharing steps I have taken to establish the communication.
1. Establish internet communication on your controller
Other articles already describe how to do this and test the connection, so I will be skipping this step.
2. Connect to NTP Client
TLS requires a time server to be present, so make sure to set it up. NTP Client can be configured from WBM under Configuration / Ports and Services / NTP Client:
3. Create an IoT Hub
More information can be found here: Create an Azure IoT hub - Azure IoT Hub | Microsoft Learn
4. Generate CA certificate, device certificate and sign it
I have used this article to guide me through creation of certificates: How to create & sign SSL/TLS certificates - DEV Community. Please note you will need to change some parameters to fit your device.
IMPORTANT: When generating your CA certificate, make sure to set its Common name (CName) to Hostname of your IoT Hub (<>.azure-devices.net). For your device certificate, IoT Hub requires that it’s CName is set to DeviceId used in IoT Hub.
5. Transfer CA and device certificates, and key into storage location on your controller
I have used WinSCP to perform this task. Certificates were stored in /etc/ssl/certs/
6. Configure your Cloud connection details
Navigate to Configuration / Cloud Connectivity / Connection 1. Configure connection parameters as below:
- Cloud platform: Azure
- Hostname: Hostname of your IoT Hub (<>.azure-devices.net)
- Device ID: Same Device ID as used in IoT Hub
- Authentication: X.509 Certificate
- CA file: /etc/ssl/certs/<your_ca_cert>
- Certification file: /etc/ssl/certs/<your_device_cert>
- Key file: /etc/ssl/certs/<your_device_key>
- Data protocol: depends on what you are using in CODESYS project
Other options are optional in this case. Sharing device info, status, and allowing for standard commands doesn’t impact connection. Response to cloud commands request will still have to be programmed in CODESYS project.
Please note: A multicloud licence is required if there is more than one connection active.
Finally, make sure to tick the box for Enable and Reboot your controller.
7. Use WagoAppCloud library
As a proof of concept, I have used one of our sample projects for WagoAppCloud - WagoAppCloud_FbCollectionLogger:
Sample Projects for CODESYS 3 | WAGO Download Center
And that’s it 
Once successful, status of your cloud connectivity should be positive and you should see data received on your IoT Hub.
I recommend using Azure IoT Explorer for browsing telemetry sent from WAGO controller:
Install and use Azure IoT explorer - Azure IoT | Microsoft Learn
Hope you will find this useful.
Thanks,
Marcin