NOTE: The procedure below is only applicable when running pre-3.4.7 modules. Manually configuring MQTT Distributor to consume a Java keystore is supported and will work properly when running pre-3.4.7 modules, but it is no longer the recommended process for encrypting MQTT communication. If possible, please upgrade to modules version 3.4.7 or higher and follow the default workflow to secure MQTT communication.
Whether you are using a certificate issued by a trusted CA (Certificate Authority) or a self-signed certificate, internally MQTT Distributor accesses these certificates via the Java keyStore file that it is configured to use. This keyStore must contain the public certificate, the private key, and possibly an intermediate certificate if applicable. If you've already SSL enabled your Ignition web server then you have all of the required certificates already contained inside of Ignition's keystore. However, you must convert Ignition's keystore (of type PKCS #12) to a keystore of type JKS so it can be used by MQTT Distributor. Follow the steps below to do this conversion.
Convert Keystore
Locate Ignition's Keystore
Locate Ignition's keystore in <ignition_install_dir>/webserver/ssl.pfx
Import Ignition's Keystore
Launch Keystore Explorer and create a new keystore of type JKS.
Import Ignition's keystore by choosing to 'import a key pair' of type PKCS #12
Use the password 'ignition' to decrypt Ignition's keystore and click Import. Next, click OK to reuse the existing keypair alias.
Give the new key pair a password of 'ignition' (or whatever you want). Click OK to complete import.
Save the Converted Keystore
Save the keystore and give it the same password provided in the step above. Give the keystore file a name with the extension '.jks'
Next, MQTT Distributor must be configured to use the newly created Java keystore (JKS). Following the steps here to configure MQTT Distributor.
Additional Resources
- Inductive Automation's Ignition download with free trial
- Azure Injector download with free trial
- Questions about this tutorial?
- Sales questions
- About Cirrus Link