Contents
Cirrus Link Resources
Chariot MQTT Server v1 (previous version)
Cirrus Link Modules for Ignition
Contact Us (Sales/Support)
Forum
This document describes how to configure Server and Client authentication when setting secure (SSL) connections between Chariot, MQTT Engine and MQTT Transmission.
Table of Contents
As a first step, we need to generate certificates for Chariot, MQTT Engine and MQTT Transmission. Let’s create the following directory tree to work with:
...
Generate MQTT Engine Client certificate signed with the Engine CA’s private key
Anchor | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
Generate a private key file (ca.key) for the Root CA using the command below. You will be required to enter a pass phrase to be associated with the ca.key file
Code Block | ||
---|---|---|
| ||
openssl genrsa -des3 -out ca/ca.key 2048 |
Generate a self-signed certificate (ca.crt) for the Root CA using the command below. This command generates a new self-signed X.509 certificate named "ca.crt" valid for 3650 days (10 years) using the RSA private key "ca.key". A "ca.srl" file will also be created containing the signed certificate's unique serial number. You will be required to enter the pass phrase associated with the private key file "ca.key".
Code Block | ||
---|---|---|
| ||
openssl req -new -x509 -key ca/ca.key -days 3650 -out ca/ca.crt |
Note |
---|
There are a number of fields associated with the creation of the certificate. The required fields are: Country Name (2 letter code) []: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: We set this to CA Common Name (eg, fully qualified host name) [] We set this to the FQDN of the Chariot server Email Address []: |
Anchor | ||||
---|---|---|---|---|
|
Generate a private key file (serverCA.key) for the Server CA using the command below. You will be required to enter a pass phrase to be associated with the serverCA.key file.
Code Block | ||
---|---|---|
| ||
openssl genrsa -des3 -out ca/server/serverCA.key 2048 |
Generate a Certificate Signing Request (CSR) for the server CA using the command below. This command generates a new CSR named "serverCA.csr’ using the RSA private key "serverCA.key" and you will be required to enter the pass phrase created in the previous step.
Code Block | ||
---|---|---|
| ||
openssl req -new -key ca/server/serverCA.key -out ca/server/serverCA.csr |
Note |
---|
There are a number of fields associated with the creation of the certificate. The required fields are: Country Name (2 letter code) []: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: We set this as Server CA Common Name (eg, fully qualified host name) []: We set this as the FQDN of the Chariot server Email Address []: Extra attributes to be sent with the certificate request are: A challenge password []: Any alpha-numeric phrase |
Sign the Server CA with the Root CA using the command below. This command will sign the CSR "serverCA.csr" with the Root CA certificate ‘ca.crt’ and RSA private key ‘ca.key’, creating a new X.509 certificate named ‘serverCA.crt’ valid for 3650 days (10 years). A "serverCA.srl" file will also be created containing the signed certificate's unique serial number. You will be required to enter the pass phrase associated with the private key file "ca.key".
Code Block | ||
---|---|---|
| ||
openssl x509 -req -in ca/server/serverCA.csr -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -out ca/server/serverCA.crt -days 3650 |
Anchor | ||||
---|---|---|---|---|
|
Generate a private key file (engineCA.key) for MQTT Engine CA using the command below. You will be required to enter a pass phrase to be associated with the engineCA.key file.
Code Block | ||
---|---|---|
| ||
openssl genrsa -des3 -out ca/engine/engineCA.key 2048 |
Generate a Certificate Signing Request (CSR) for the MQTT Engine CA using the command below. This command generates a new CSR named "engineCA.csr’ using the RSA private key "engineCA.key" and you will be required to enter the pass phrase created in the previous step.
Code Block | ||
---|---|---|
| ||
openssl req -new -key ca/engine/engineCA.key -out ca/engine/engineCA.csr |
Note |
---|
There are a number of fields associated with the creation of the certificate. The required fields are: Country Name (2 letter code) []: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: We set this as MQTT Engine CA Common Name (eg, fully qualified host name) []: We set this as the FQDN of the Chariot server Email Address []: Extra attributes to be sent with the certificate request are: A challenge password []: Any alpha-numeric phrase |
Sign the MQTT Engine CA with the Root CA using the command below. This command will sign the CSR "engineCA.csr" with the Root CA certificate ‘ca.crt’ and RSA private key ‘ca.key’, creating a new X.509 certificate named ‘engineCA.crt’ valid for 3650 days (10 years). An "engineCA.srl" file will also be created containing the signed certificate's unique serial number. You will be required to enter the pass phrase associated with the private key file "ca.key".
Code Block | ||
---|---|---|
| ||
openssl x509 -req -in ca/engine/engineCA.csr -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -out ca/engine/engineCA.crt -days 3650 |
Anchor | ||||
---|---|---|---|---|
|
Generate a private key file (transmissionCA.key) for MQTT Transmission CA using the command below. You will be required to enter a pass phrase to be associated with the transmissionCA.key file.
Code Block | ||
---|---|---|
| ||
openssl genrsa -des3 -out ca/transmission/transmissionCA.key 2048 |
Generate a Certificate Signing Request (CSR) for the MQTT Transmission CA using the command below. This command generates a new CSR named "transmissionCA.csr’ using the RSA private key "transmissionCA.key" and you will be required to enter the pass phrase created in the previous step.
Code Block | ||
---|---|---|
| ||
openssl req -new -key ca/transmission/transmissionCA.key -out ca/transmission/transmissionCA.csr |
Note |
---|
There are a number of fields associated with the creation of the certificate. The required fields are: Country Name (2 letter code) []: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: We set this as MQTT Transmission CA Common Name (eg, fully qualified host name) []: We set this as the FQDN of the Chariot server Email Address []: Extra attributes to be sent with the certificate request are: A challenge password []: Any alpha-numeric phrase |
Sign the MQTT Transmission CA with the Root CA using the command below. This command will sign the CSR "transmissionCA.csr" with the Root CA certificate ‘ca.crt’ and RSA private key ‘ca.key’, creating a new X.509 certificate named ‘transmissionCA.crt’ valid for 3650 days (10 years). An "transmissionCA.srl" file will also be created containing the signed certificate's unique serial number. You will be required to enter the pass phrase associated with the private key file "ca.key".
Code Block | ||
---|---|---|
| ||
openssl x509 -req -in ca/transmission/transmissionCA.csr -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -out ca/transmission/transmissionCA.crt -days 3650 |
...
└── transmissionCA.srl
Anchor | ||||
---|---|---|---|---|
|
Generate private key in PKCS8 format (server.key) for the Chariot server using the command below.
Code Block | ||
---|---|---|
| ||
openssl genrsa -out certs/server/server.key 2048 |
******* Convert from PKCS8 format to PCKS1 until Chraiot supports PKCS8 format *********
Code Block | ||
---|---|---|
| ||
openssl rsa -in certs/server/server.key -traditional -out certs/server/server.keyopen |
Generate a Certificate Signing Request (CSR) for the Chariot server using the command below. This command generates a new CSR named "server.csr’ using the RSA private key "server.key".
Code Block | ||
---|---|---|
| ||
openssl req -new -key certs/server/server.key -out certs/server/server.csr |
Note |
---|
There are a number of fields associated with the creation of the certificate. The required fields are: Country Name (2 letter code) []: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: We set this as Chariot Common Name (eg, fully qualified host name) []: We set this as the FQDN of the Chariot server Email Address []: Extra attributes to be sent with the certificate request are: A challenge password []: Any alpha-numeric phrase. |
Sign the Server CSR with the Server CA using the command below. This command will sign the CSR "server.csr" with the Server CA certificate ‘serverCA.crt’ and RSA private key ‘serverCA.key’, creating a new X.509 certificate named ‘serverCA.crt’ valid for 3650 days (10 years). You will be required to enter the pass phrase associated with the private key file "serverCA.key".
Code Block | ||
---|---|---|
| ||
openssl x509 -req -in certs/server/server.csr -CA ca/server/serverCA.crt -CAkey ca/server/serverCA.key -CAcreateserial -out certs/server/server.crt -days 365 |
Anchor | ||||
---|---|---|---|---|
|
Generate private key in PSCK8 format (engine.key) for MQTT Engine using the command below.
Code Block | ||
---|---|---|
| ||
openssl genrsa -out certs/engine/engine.key 2048 |
Generate a Certificate Signing Request (CSR) for MQTT Engine using the command below. This command generates a new CSR named "engine.csr’ using the RSA private key "engine.key".
Code Block | ||
---|---|---|
| ||
openssl req -new -key certs/engine/engine.key -out certs/engine/engine.csr |
Note |
---|
There are a number of fields associated with the creation of the certificate. The required fields are: Country Name (2 letter code) []: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: We set this as MQTT Engine Common Name (eg, fully qualified host name) []: We set this as the FQDN of the Chariot server Email Address []: Extra attributes to be sent with the certificate request are: A challenge password []: Any alpha-numeric phrase. |
Sign the MQTT Engine Client CSR with the Engine CA using the command below. This command will sign the CSR "engine.csr" with the Engine CA certificate ‘engineCA.crt’ and RSA private key ‘engineCA.key’, creating a new X.509 certificate named ‘engineCA.crt’ valid for 3650 days (10 years). You will be required to enter the pass phrase associated with the private key file "engineCA.key".
Code Block | ||
---|---|---|
| ||
openssl x509 -req -in certs/engine/engine.csr -CA ca/engine/engineCA.crt -CAkey ca/engine/engineCA.key -CAcreateserial -out certs/engine/engine.crt -days 365 |
Anchor | ||||
---|---|---|---|---|
|
Generate private key in PKCS8 format (transmission.key) for MQTT Transmission using the command below.
Code Block | ||
---|---|---|
| ||
openssl genrsa -out certs/transmission/transmission.key 2048 |
Generate a Certificate Signing Request (CSR) for MQTT Transmission using the command below. This command generates a new CSR named "transmission.csr’ using the RSA private key "transmission.key".
Code Block | ||
---|---|---|
| ||
openssl req -new -key certs/transmission/transmission.key -out certs/transmission/transmission.csr |
Note |
---|
There are a number of fields associated with the creation of the certificate. The required fields are: Country Name (2 letter code) []: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: We set this as MQTT Transmission Common Name (eg, fully qualified host name) []: We set this as the FQDN of the Chariot server Email Address []: Extra attributes to be sent with the certificate request are: A challenge password []: Any alpha-numeric phrase. |
Sign the MQTT Transmission Client CSR with the Transmission CA using the command below. This command will sign the CSR "transmission.csr" with the Transmission CA certificate ‘transmissionCA.crt’ and RSA private key ‘transmissionCA.key’, creating a new X.509 certificate named ‘transmissionCA.crt’ valid for 3650 days (10 years). You will be required to enter the pass phrase associated with the private key file "transmissionCA.key".
Code Block | ||
---|---|---|
| ||
openssl x509 -req -in certs/transmission/transmission.csr -CA ca/transmission/transmissionCA.crt -CAkey ca/transmission/transmissionCA.key -CAcreateserial -out certs/transmission/transmission.crt -days 365 |
...
└── transmission.key
Now we are ready to setup SSL connections between two clients (MQTT Engine and Transmission) and the Chariot Server. Here is a summary of what needs to be done:
Anchor | ||||
---|---|---|---|---|
|
Navigate to CONFIGURATION > System > Certificates configuration and upload the files as shown below. Once uploaded, select the Setup SSL button.
...
Navigate to CONFIGURATION > MQTT Server configuration and Enable Secure as shown below:
By default Chariot comes with an empty truststore file clientcerts.jks which is located in the <chariot_install_dir>/security folder.
...
Code Block | ||
---|---|---|
| ||
keytool -importcert -file engineCA.crt -keystore clientcerts.jks -alias engineca ** When prompted Trust this certificate? [no]: respond "yes"*** keytool -importcert -file transmissionCA.crt -keystore clientcerts.jks -alias transmissionca ** When prompted Trust this certificate? [no]: respond "yes"*** |
Once completed, viewing the file will now show two entries similar to below:
...
Tip |
---|
Keytool is part of the standard java distribution and is located in the bin sub-directory of your jdk installation directory. Chariot will always include a java distribution under the <chariot_install_dir>/lib/runtime |
Using a text editor, set the "clientAuthPolicy" to "required" in the <chariot_install_dir>/conf/com.cirruslink.chariot.server configurationfile.
...
Warning |
---|
You will now need to restart the Chariot service to pickup up the configuration changes |
Anchor | ||||
---|---|---|---|---|
|
Add the certificates to the MQTT Engine > Servers > Certificates configuration as shown below:
...
Configuration Parameter | Setting |
---|---|
URL | ssl://FQDN:8883 where the FQDN is the Common Name associated with the certificates |
CA Certificate File | ChariotCA_Certificate |
Client Certificate File | EngineCertificate |
Client Private Key File | EngineKey |
Anchor | ||||
---|---|---|---|---|
|
Add certificates to the MQTT Transmission > Servers > Certificates configuration as shown below:
...
You should see that both clients are connected
*** Verify If you do not see MQTT Transmission connected, verify that you have a Transmitter with a valid Sparkplug ID either through setting the Group and Edge Id ID or through the TagPath***
...