NOTE: The procedure below is only applicable when running pre-4.0.4 modules. Manually configuring MQTT Distributor to consume a Java keystore is supported and will work properly when running pre-4.0.4 modules, but it is no longer the recommended process for encrypting MQTT communication. If possible, please upgrade to modules version 4.0.4 or higher and follow the default workflow to secure MQTT communication. 


Whether you are using a certificate issued by a trusted CA (Certificate Authority) or a self-signed certificate, internally MQTT Distributor accesses these certificates via the Java keyStore file that it is configured to use. This keyStore must contain the public certificate, the private key, and possibly an intermediate certificate if applicable. If you've already SSL enabled your Ignition web server then you have all of the required certificates already contained inside of Ignition's keystore. However, you must convert Ignition's keystore (of type PKCS #12) to a keystore of type JKS so it can be used by MQTT Distributor. Follow the steps below to do this conversion.

Convert Keystore

Locate Ignition's Keystore

Locate Ignition's keystore in <ignition_install_dir>/webserver/ssl.pfx

Import Ignition's Keystore

Launch Keystore Explorer and create a new keystore of type JKS.

Import Ignition's keystore by choosing to 'import a key pair' of type PKCS #12

Use the password 'ignition' to decrypt Ignition's keystore and click Import. Next, click OK to reuse the existing keypair alias.

Give the new key pair a password of 'ignition' (or whatever you want). Click OK to complete import.


Save the Converted Keystore

Save the keystore and give it the same password provided in the step above. Give the keystore file a name with the extension '.jks'

Configure Distributor to use Keystore

Next, MQTT Distributor must be configured to use the newly created Java keystore (JKS). Following the steps here to configure MQTT Distributor.

Additional Resources

  • No labels

New to MQTT? Start Here!