ThingWorx WebSocket-based Edge MicroServer (WS EMS) and Lua Script Resource (LSR) > Configuring Secure Connections (SSL/TLS and FIPS Mode)
  
Configuring Secure Connections (SSL/TLS and FIPS Mode)
About SSL/TLS Certificates
Essentially, SSL/TLS certificates are used for either of two purposes:
Establishing Trust — Trusted Certificate Authority (CA) certificates verify other certificates. Typically, these files are found on a client that is attempting to establish an SSL/TLS connection with a server. For example, store a valid certificate in the home directory of your WS EMS. The valid certificate must belong to the issuers of the certificates (Certificate Authority or “CA”) of the ThingWorx platform instance (“server”) with which the WS EMS communicates. The CA certificates must be stored in the home directory of WS EMS.
Establishing Identity — Identity certificates with private keys provide a way of communicating the unique identity of an SSL/TLS peer. Identity certificates with private keys are typically used to show the identity of a server to a client. When a server requires client authentication, Identity certificates are also required on the client. In this latter case, the Trusted Certificate Authority certificate would be required on the server (a ThingWorx platform instance).
The requirements for products acting as clients, such as WS EMS, or servers, such as a ThingWorx platform instance, in SSL/TLS connections follow:
A server must always have an Identity certificate. Optionally, if the product acting as a server supports and is configured to use client authentication, the server would need a Trusted Certificate Authority certificate.
A client must always have a Trusted Certificate Authority (CA) certificate. An example of a Trusted CA certificate name is SSLCACert.pem. Optionally, if the product acting as a server supports and is configured to use client authentication, the client would also need an Identity certificate. An example of a client-side Identity certificate file name is SSLCert.pem, and an example of its private key name is SSLPrivKey.pem.
The WS EMS can validate certificates that have been signed using the following algorithms:
MD5
SHA-1
SHA-256 digest
* 
Always configure a secure HTTP server. Otherwise, the WS EMS and LSR will log warning messages when SSL, authentication, or certificate validation is disabled or if self-signed certificates are allowed.
As of release 5.4.0 of WS EMS , the distribution bundles for Linux and Windows provide EITHER the OpenSSL libraries, v.1.0.2L OR the axTLS v.2.1.2 library. Only the OpenSSL distribution bundles provide the FIPS module, v.2.0.2. If your environment requires FIPS, download the distribution bundle for your operating system and platform that has openssl in its name. For details about FIPS mode, see Configuring FIPS Mode.
* 
Not only does axTLS not support FIPS mode, but also it does not support any other client authentication when it is used in a client-side application such as WS EMS for an edge device. The axTLS library does support client authentication when it is used in a server-side application. If you want to use axTLS instead of OpenSSL, you must download the distribution bundle for your operating system and platform that has axtls in its name.