TLS Certificate Setup
TLS Certificate Setup
Why Encryption?
When using MQTT over insecure networks (like Internet) or for transmitting sensitive data, encryption should always be used. To use TLS (Transport Layer Security), encryption devices identify themselves by their private keys using certificates. These certificates are issued using Certificate Authorities (CA).
Note: Encryption adds some additional latency to the message flow and also causes additional CPU load. So, using encryption can make communication with some low-processor devices much slower.
If third-party MQTT broker is used, please inspect corresponding broker manual for how to generate the TLS keys and how obtain certificates for MQTT client(s).
Note: The following examples assume you have OpenSSL software installed in your computer.
Self-signed TLS CA Key Generation
Using CDP built-in broker you can create self-signed CA keys and all other needed keys and certificates by yourself.
Certificate Authorities (CA) a RSA-type key file (named f.e. "localhost-ca.key") and self-signed certificate file (named f.e. "localhost-ca.crt" and valid for example 365 days) can be created with commands:
> openssl genrsa -out localhost-ca.key 2048 > openssl req -new -x509 -days 365 -key localhost-ca.key -out localhost-ca.crt
Broker TLS Key and CA Signed Certificate
A broker key (named .f.e. "localhost.key") and certificate request (named "localhost.csr") for that key can be created with commands:
> openssl genrsa -out localhost.key 2048 > openssl req -new -out localhost.csr -key localhost.key
Using previously generated self-signed CA key a broker certificate (named "localhost.crt" and valid for 364 days) can be created with command:
> openssl x509 -req -in localhost.csr -CA localhost-ca.crt -CAkey localhost-ca.key -CAcreateserial -out localhost.crt -days 364
Optional MQTT Client TLS Key and Certificate
For client authentication a client key (named "client.key") and certificate request (named "client.crs") for that key can be created with command:
> openssl genrsa -out client.key 2048 > openssl req -new -out client.csr -key client.key
Using self-signed CA key a client access certificate (named "client.crt", valid for 364 days) can be created with command:
> openssl x509 -req -in client.csr -CA localhost-ca.crt -CAkey localhost-ca.key -CAcreateserial -out client.crt -days 364
Note: These commands are further explained in OpenSSL documentation.
Setting Up TLS Certificates
With the keys and certificates generated, broker and client must be configured to use them.
Set up MQTTClient to use the CA certificate and the optional client certificate:
- copy CA certificate and optional client key and certificate into the CDP application folder
- add these files to application project in CDP Studio right-clicking in Code mode on application name and choosing "Add existing files..."
- in "Configure" mode choose MQTTClient and set its properties TLSBrokerCACertFile to CA certificate file name and TLSClientCertFile and TLSClientKeyFile to client certificate and key file name.
Set up MQTTBroker to use the CA certificate, broker key and broker certificate:
- copy CA certificate, broker certificate and broker key file into the corresponding CDP application folder
- add these files to application project in CDP Studio right-clicking in Code mode on application name and choosing "Add existing files..."
- in "Configure" mode choose MQTTBroker and set its properties TLSCAFile to CA certificate file name and TLSCertFile and TLSKeyFile to broker certificate and key file name.
Get started with CDP Studio today
Let us help you take your great ideas and turn them into the products your customer will love.