• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
CDP Studio logo

CDP Studio

The no-code and full-code software development tool for distributed control systems and HMI

  • Doc
  • Why CDP
    • Software developers
    • Automation engineers
    • Managers
  • Products
    • Automation Designer
    • HMI Designer
    • Maritime HMIs
  • Services
  • Use cases
  • Pricing
  • Try CDP

CDP Studio Documentation

  • Protocols - MQTT I/O
  • TLS Certificate Setup
  • 5.0.0

MQTT Tutorials TLS-PSK Key Setup

TLS Certificate Setup

TLS Certificate Setup

Why Encryption?

When using MQTT over insecure networks (like Internet) or for transmitting sensitive data, encryption should always be used. To use TLS (Transport Layer Security), encryption devices identify themselves by their private keys using certificates. These certificates are issued using Certificate Authorities (CA).

Note: Encryption adds some additional latency to the message flow and also causes additional CPU load. So, using encryption can make communication with some low-processor devices much slower.

If third-party MQTT broker is used, please inspect corresponding broker manual for how to generate the TLS keys and how obtain certificates for MQTT client(s).

Note: The following examples assume you have OpenSSL software installed in your computer.

Self-signed TLS CA Key Generation

Using CDP built-in broker you can create self-signed CA keys and all other needed keys and certificates by yourself.

Certificate Authorities (CA) a RSA-type key file (named f.e. "localhost-ca.key") and self-signed certificate file (named f.e. "localhost-ca.crt" and valid for example 365 days) can be created with commands:

> openssl genrsa -out localhost-ca.key 2048
> openssl req -new -x509 -days 365 -key localhost-ca.key -out localhost-ca.crt

Broker TLS Key and CA Signed Certificate

A broker key (named .f.e. "localhost.key") and certificate request (named "localhost.csr") for that key can be created with commands:

> openssl genrsa -out localhost.key 2048
> openssl req -new -out localhost.csr -key localhost.key

Using previously generated self-signed CA key a broker certificate (named "localhost.crt" and valid for 364 days) can be created with command:

> openssl x509 -req -in localhost.csr -CA localhost-ca.crt -CAkey localhost-ca.key -CAcreateserial -out localhost.crt -days 364

Optional MQTT Client TLS Key and Certificate

For client authentication a client key (named "client.key") and certificate request (named "client.crs") for that key can be created with command:

> openssl genrsa -out client.key 2048
> openssl req -new -out client.csr -key client.key

Using self-signed CA key a client access certificate (named "client.crt", valid for 364 days) can be created with command:

> openssl x509 -req -in client.csr -CA localhost-ca.crt -CAkey localhost-ca.key -CAcreateserial -out client.crt -days 364

Note: These commands are further explained in OpenSSL documentation.

Setting Up TLS Certificates

With the keys and certificates generated, broker and client must be configured to use them.

Set up MQTTClient to use the CA certificate and the optional client certificate:

  • copy CA certificate and optional client key and certificate into the CDP application folder
  • add these files to application project in CDP Studio right-clicking in Code mode on application name and choosing "Add existing files..."
  • in "Configure" mode choose MQTTClient and set its properties TLSBrokerCACertFile to CA certificate file name and TLSClientCertFile and TLSClientKeyFile to client certificate and key file name.

Set up MQTTBroker to use the CA certificate, broker key and broker certificate:

  • copy CA certificate, broker certificate and broker key file into the corresponding CDP application folder
  • add these files to application project in CDP Studio right-clicking in Code mode on application name and choosing "Add existing files..."
  • in "Configure" mode choose MQTTBroker and set its properties TLSCAFile to CA certificate file name and TLSCertFile and TLSKeyFile to broker certificate and key file name.

MQTT Tutorials TLS-PSK Key Setup

The content of this document is confidential information not to be published without the consent of CDP Technologies AS.

CDP Technologies AS, www.cdpstudio.com

Get started with CDP Studio today

Let us help you take your great ideas and turn them into the products your customer will love.

Try CDP Studio for free
Why CDP Studio?

CDP Technologies AS
Hundsværgata 8,
P.O. Box 144
6001 Ålesund, Norway

Tel: +47 990 80 900
E-mail: info@cdptech.com

Company

About CDP

Contact us

Services

Partners

Blog

Developers

Get started

User manuals

Support

Document download

Release notes

My account

Follow CDP

  • LinkedIn
  • YouTube
  • GitHub

© Copyright 2025 CDP Technologies. Privacy and cookie policy.

Return to top