Application Server SSL certificates
Any customer Application Server needs to have a valid SSL certificate to create a secure HTTPS connection. The responsibility of retrieving the SSL certificate and keeping track of the validity is with the customer. The KPN LoRa server accepts SSL certificates from most major SSL certificate authorities.
If your Application Server does not have an SSL certificate, you can shop online for one. A paid version can be obtained at https://www.thesslstore.nl/ or https://www.sslcertificaten.nl/ for instance or you can use the limited free version of https://letsencrypt.org/. Which one you use is up to you.
When there is no certificate or if it is not valid, KPN will not forward the data. Tooling to test the validity of your SSL certificate can be found online, for example here.
Application Server authentication tokens
Within the application data stream an authentication token is used to validate authenticity of the data. This authentication token is calculated using SHA-256. The token is used to verify if the messages are sent from a valid source. The HTTPS POST request should contain a correctly calculated token. The recipient can confirm this token by recalculating the token with some information from the request and the shared secret LRC AS-Key. The LRC AS-Key is a configuration of the Application Server in ThingPark. Choosing a proper LRC AS-Key (and storing it safely on the customer Application Server) is the responsibility of the customer. There is an online tool available for generating an LRC AS-Key (for testing purposes) that has a sufficient Shannon entropy.
For the token verification, reference code is available on Github.