Why Certificates?<\/h2>\n\n\n\n
Instead of user credentials, which can be easily compromised, the industry is slowly shifting towards more secure certificate-based security. Certificates are authorized and signed by a \u201cCertificate Authority\u201d (CA) and come with a public and private key.<\/p>\n\n\n\n
A public key is shared openly to encrypt data or verify signatures, while the private key is stored locally by the certificate owner to decrypt data and create signatures, enabling secure communications.<\/p>\n\n\n\n
Typically, an MQTT connection is secured through TLS and leverages a unique certificate per device. Devices can share the same certificate, but if one of the certificates is compromised, all devices will need to have their certificates updated.<\/p>\n\n\n\n
What’s the Catch?<\/h3>\n\n\n\n
One way that certificates are more secure is that they have limited lifespans. Each certificate has a specified time frame (usually a decade or more, up to a limit) where it is valid. Upon expiration, communications relying on the certificate will fail until a new certificate is signed by the CA and manually rotated on the device. For Siemens PLCs, this is a manual process that requires a hardware download and downtime.<\/p>\n\n\n\n
A similar lifespan issue arises for the CA. The current Amazon Root CA 1 at the time of writing expires January 2038 and has a lifespan of 10-20 years.<\/p>\n\n\n\n
However, AWS helps with mitigating this issue by allowing users to remotely monitor and even revoke certificates.<\/p>\n\n\n\n
Configuring AWS IoT Core<\/h2>\n\n\n\n
In AWS IoT Core, every device is registered as a Thing and has associated certificates to secure the communications and \u201cPolicies\u201d to determine the permissions a certificate is allowed to have. Before the PLC can communicate with AWS, it must first be configured in the IoT Core with at least one of each (Thing, Certificate, Policy).<\/p>\n\n\n\n
Note: It is possible to use user credentials with AWS, but this is less secure and requires the configuration of a custom authorizer and downloading the Amazon Root Certificate to the PLC. More information can be found here: <\/em>Use API Gateway Lambda authorizers – Amazon API Gateway<\/em><\/a>.<\/em><\/p>\n\n\n\n A Thing can be created under the \u201cManage > All devices > Things\u201d menu. Creating a Thing will prompt the user to assign a certificate and a policy. In this example, an auto-generated AWS certificate was used.<\/p>\n\n\n\n As part of the steps to create a Thing, you can also create a Policy. Policies are used to Allow\/Deny actions that a device can perform when connected using the attached certificate. A policy can be reused across multiple certificates, and a certificate can have multiple attached policies, allowing for flexible configuration.<\/p>\n\n\n\n For testing basic communications and setup, it is recommended that an unrestricted policy be used to allow all policy actions and resources to be accessed (notated by the wildcard character, *). Policies can be updated at any time to remotely modify the permissions of any device.<\/p>\n\n\n\n Note: For more information regarding policy configuration, see <\/em>AWS IoT Core policy examples – AWS IoT Core<\/em><\/a>.<\/em><\/p>\n\n\n\n Once a Thing has been created, a pop-up will appear with download links to the generated certificates. Click the \u201cDownload All\u201d button to download a copy of the certificate, keys, and root CA certificates. Don\u2019t close the dialog box without downloading a copy of the certificate and keys, as this is the only time they are available for security reasons!<\/p>\n\n\n\n Configuring the PLC to communicate via MQTT requires 3 steps. First, the LMQTT library must be added to the project and configured for the connection. Next, project security must be enabled to allow the user to access the \u201cCertificate Manager\u201d and import the certificates to the project.<\/p>\n\n\n\n Note: More information and a detailed guide of each step can be found here: <\/em>Use the SIMATIC controller as an MQTT client – ID: 109748872 – Industry Support Siemens<\/em><\/a>.<\/em><\/p>\n\n\n\n The LMQTT Library and documentation can be found as part of the communications library here: SIMATIC S7-1500\/S7-1200 Libraries for Communication (LCommSuite) – ID: 109780503 – Industry Support Siemens<\/a><\/p>\n\n\n\n After downloading the Siemens Libraries for Communication, unzip the file and move the resulting folder to a permanent location. Then, import the \u201cLibraries_Comm_Controller.al20\u201d as a global library into your project.<\/p>\n\n\n\n The communications library will then appear. For this blog, only the LMQTT library objects are used. Drag and drop the \u201cLMQTT_Client\u201d object from the Global Library into the \u201cProgram blocks\u201d folder of your PLC. All dependencies will automatically be imported into the project along with the library block.<\/p>\n\n\n\n Next, create a Global Data Block to hold the tag values of the LMQTT Client. This can be done by expanding the \u201cProgram blocks\u201d folder in the Project tree and clicking \u201cAdd new block\u201d. From the dialog box, select \u201cData Block\u201d, name the block, and choose \u201cGlobal DB\u201d.<\/p>\n\n\n\n The Data Block used by our example project is shown below. Some notes on our implementation:<\/p>\n\n\n\n The connection parameters in our example are configured as follows:<\/p>\n\n\n\n Some notes on our configuration:<\/p>\n\n\n\n An instance of the LMQTT Client function block can be created by dragging an instance of \u201cLMQTT_Client\u201d into any LAD block on the PLC and linking the corresponding tags in the database. An example of how the tags can be linked is shown below:<\/p>\n\n\n\n To enable project security, navigate to the PLC\u2019s \u201cProperties > General > Certificate manager\u201d menu and enable the \u201cUse global security settings for certificate manager\u201d setting.<\/p>\n\n\n\n Next, enable project security by navigating in the Project Tree to \u201cSecurity settings > Settings > Project protection\u201d and password-protect the program. This is necessary to enable the project \u201cCertificate manager\u201d menu under \u201cSecurity Settings > Security features.\u201d<\/p>\n\n\n\n Before the certificate is imported into TIA Portal, the AWS client certificate and private key must be merged using a text editor. This can be done by opening both the *.pem certificate and the private.key file and pasting the private key in the line below the certificate. After doing so, your certificate file should look like the one below:<\/p>\n\n\n\n To import a certificate, navigate to the \u201cTrusted Certificates and root certificates\u201d menu in the project \u201cCertificate Manager\u201d, right-click the table and select import. The two files that will be needed are the:<\/p>\n\n\n\n Once complete, the two certificates should appear as follows:<\/p>\n\n\n\n Next, return to the PLC \u201cProperties > Certificate manager\u201d and add the IoT Certificate under \u201cDevice certificates\u201d and the Root CA1 certificate as a \u201cCertificates of partner device.\u201d<\/p>\n\n\n\n Finally, the IP, gateway, and time settings of the PLC need to be configured before downloading to the PLC.<\/p>\n\n\n\n The LMQTT Client can be directly controlled by monitoring the runtime values of the Data Block. To start a connection, bring the \u201cconnect\u201d input on the Client high and wait for the block to connect.<\/p>\n\n\n\n The status of the block can be seen by monitoring the \u201coutput > diagnostics > status\u201d tag. A tag value of 16#7004 indicates a successful connection.<\/p>\n\n\n\n The publish\/subscribe\/unsubscribe signals are level-triggered, and only a single command is allowed to be active at any given moment, or else an error will occur.<\/p>\n\n\n\n A message can be published to a topic by setting the topic, populating the byte array and setting the data length, and setting the \u201cpublish\u201d control signal. Any MQTT client subscribed to the same topic and connected to the AWS Endpoint will be able to see your published message.<\/p>\n\n\n\n Note: An additional guide accompanying the LMQTT library is the <\/em>Cloud connection \u2013 simple and secure with SIMATIC S7-1200\/S7-1500 – ID: 109772284 – Industry Siemens Support<\/em><\/a> by Siemens, which provides more detail about configuring an AWS broker and setting up the PLC project from scratch.<\/em><\/p>\n\n\n\n This is most likely caused by an incorrect connection parameter or improper network configuration on the PLC. Some steps to try to remedy this error:<\/p>\n\n\n\n The DNS server might not be properly configured. This will prevent the PLC from resolving the Endpoint. DNS servers can be configured in the PLC \u201cProperties > Advanced Configuration\u201d menu. The DNS addresses can be your router gateway or a trusted server such as Google (8.8.8.8).<\/p>\n\n\n\n A connection loop is a sign that the certificate authentication or AWS policy is configured incorrectly. Ensure that the certificate is set up properly and that the Client block is not attempting to connect with a denied Publish topic for the Will topic for the active AWS Policy.<\/p>\n\n\n\n There are many free downloadable MQTT clients that can be set up on your computer, such as MQTTx or MQTT Explorer.<\/p>\n\n\n\n Although the setup process is more complex than traditional methods, secure MQTT communications from a PLC to the cloud can allow remote communications that would cause security risks with traditional methods. At its core, MQTT is a secure and lightweight protocol that is versatile and can suit the needs of hobbyists and industry alike.<\/p>\n\n\n\n Ready to take your Automation<\/a> project to the next level? Contact us today<\/a> to learn more about our solutions and how we can help you achieve your goals.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":" As technology advances and security standards improve, clients in the automation industry are transitioning to newer communications standards for both future-proofing and improved plant security.\u00a0This blog covers the implementation of the MQTT standard, which is known for being simple, secure, and lightweight, with the AWS IoT Core service and the Siemens LMQTT library. The primary […]<\/p>\n","protected":false},"author":350,"featured_media":40428,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[731,757],"tags":[],"class_list":["post-40387","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-manufacturing-automation-intelligence","category-siemens-plc"],"yoast_head":"Creating a Thing<\/h3>\n\n\n\n
![\"creating](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/18153420\/creating-a-thing1-1024x482.png\")
<\/figure>\n\n\n\nCreating a Policy<\/h3>\n\n\n\n
![\"Creating](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/18153501\/creating-a-policy2-1024x684.png\")
<\/figure>\n\n\n\nCreating your Certificates<\/h3>\n\n\n\n
![\"creating](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/18153547\/creating-certificates3.png\")
<\/figure>\n\n\n\nConfiguring the Siemens PLC<\/h2>\n\n\n\n
Adding the Library to the Project<\/h3>\n\n\n\n
![\"Adding](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/17102448\/adding-the-library-to-the-project.png\")
<\/figure>\n\n\n\n![\"library](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/17162841\/library-block.png\")
<\/figure>\n\n\n\nCreating a Data Block<\/em><\/h3>\n\n\n\n
![\"creating](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/17163026\/creating-a-data-block.png\")
<\/figure>\n\n\n\n\n
![\"dbMQTT\"](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/17163122\/dbmqtt.png\")
<\/figure>\n\n\n\nConfiguring Connection Parameters<\/em><\/h3>\n\n\n\n
![\"Configuring](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/17163241\/configuring-connection-parameters.png\")
<\/figure>\n\n\n\n\n
![\"Configuration](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/17163353\/configuration-notes.png\")
<\/figure>\n\n\n\n\n
Connecting the LMQTT Client Function Block<\/em><\/h3>\n\n\n\n
![\"connecting](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/17163518\/connecting-the-lmgtt-client-function-block.png\")
<\/figure>\n\n\n\nEnabling Project Security & Importing Certificates<\/h3>\n\n\n\n
![\"certificate](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/17163731\/certificate-manager.png\")
<\/figure>\n\n\n\n![\"Root](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/18152548\/root-certificates12-777x1024.png\")
<\/figure>\n\n\n\n\n
\n
![\"trusted](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/18152637\/trusted-certificates13.png\")
<\/figure>\n\n\n\nOperation of LMQTT Client<\/h2>\n\n\n\n
Troubleshooting Common Errors<\/h2>\n\n\n\n
The LMQTT Client is timing out when trying to connect<\/h3>\n\n\n\n
\n
![\"AWS](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/18152908\/aws-iot-data-endpoint14-1024x415.png\")
<\/figure>\n\n\n\n\n
![\"profinet](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/18153006\/profient-interface15.png\")
<\/figure>\n\n\n\n![\"advanced](\"https:\/\/cdn.dmcinfo.com\/wp-content\/uploads\/2025\/12\/18153105\/advanced-configuration16-1024x217.png\")
<\/figure>\n\n\n\nThe LMQTT Client is stuck in a reconnection loop<\/h3>\n\n\n\n
I want to test my MQTT connection without the PLC<\/h3>\n\n\n\n
Conclusion<\/h2>\n\n\n\n