...

Now we are ready to setup SSL connections between two clients (MQTT Engine and Transmission) and the Chariot Server. Here is a summary of what needs to be done:

• Server side configuration
• Enable SSL on Chariot and add server side certificates and keys (serverCA.crt, server.key, and server.crt)
• Add Clients CA certificates (engineCA.crt and transmissionCA.crt) to the Chariot truststore
• Set the ‘Clients Authentication Policy’ on Chariot to “required”
• Client side configuration
• Add the serverCA.crt, engine.key, and engine.crt to the ‘Chariot’ connection on the MQTT Engine side.
• Add the serverCA.crt, transmission.key, and transmission.crt to the ‘Chariot’ connection on the MQTT Transmission side. 

Anchor
ServerSide ServerSide

Server Side Configuration

Anchor
SetupSSLOnChariot SetupSSLOnChariot

Setup SSL on Chariot

Navigate to CONFIGURATION > System > Certificates configuration and upload the files as shown below. Once uploaded, select the Setup SSL button.

...

Navigate to CONFIGURATION > MQTT Server configuration and Enable Secure as shown below. Select the Update button to save the configuration.

Anchor
ChariotTruststore ChariotTruststore

Update Chariot Truststore

By default Chariot comes with an empty truststore file clientcerts.jks which is located in the <chariot_install_dir>/security folder.

...

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: engineca
Creation date: Mar 1, 2023
Entry type: trustedCertEntry

Owner: EMAILADDRESS=ilya.binshtok@cirrus-link.com, CN=MacBook-Pro.local, OU=MQTT Engine CA, O=Cirrus Link, L=Overland Park, ST=Kansas, C=US
Issuer: EMAILADDRESS=ilya.binshtok@cirrus-link.com, CN=MacBook-Pro.local, OU=CA, O=Cirrus Link, L=Overland Park, ST=Kansas, C=US
Serial number: b1d46c8c88db5c8e
Valid from: Wed Mar 01 10:37:08 CST 2023 until: Sat Feb 26 10:37:08 CST 2033
Certificate fingerprints:
         SHA1: FE:3B:A0:A1:2D:AF:92:F3:A1:3C:8D:76:ED:8F:05:47:EE:A1:59:E2
         SHA256: 8C:43:80:B8:14:90:7D:EB:89:69:58:FA:76:29:3D:50:8F:3D:8F:7E:D5:8F:C9:7C:5B:97:0E:DC:0E:E8:D6:3A
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1


*******************************************
*******************************************


Alias name: transmissionca
Creation date: Mar 1, 2023
Entry type: trustedCertEntry

Owner: EMAILADDRESS=ilya.binshtok@cirrus-link.com, CN=MacBook-Pro.local, OU=MQTT Transmission CA, O=Cirrus Link, L=Overland Park, ST=Kansas, C=US
Issuer: EMAILADDRESS=ilya.binshtok@cirrus-link.com, CN=MacBook-Pro.local, OU=CA, O=Cirrus Link, L=Overland Park, ST=Kansas, C=US
Serial number: b1d46c8c88db5c8f
Valid from: Wed Mar 01 16:50:36 CST 2023 until: Sat Feb 26 16:50:36 CST 2033
Certificate fingerprints:
         SHA1: 01:FD:41:DF:AE:CE:28:A4:16:F8:3E:66:E7:71:FE:88:2F:98:1B:86
         SHA256: 9F:BC:1D:10:43:9C:F7:BE:D6:07:58:E1:DD:9D:09:0E:0D:01:82:37:DC:8E:FA:9A:3B:46:1A:98:1E:52:39:AE
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1


*******************************************
*******************************************

Anchor
ChariotAuthenticationPolicy ChariotAuthenticationPolicy

Update Chariot Clients Authentication Policy

Using a text editor, set the "clientAuthPolicy" to "required" in the <chariot_install_dir>/conf/com.cirruslink.chariot.server configurationfile.

...

Anchor
ClientSide ClientSide

Client Side Configuration

Anchor
MQTTEngineClientSide MQTTEngineClientSide

MQTT Engine Client Side Configuration

Add the certificates to the MQTT Engine > Servers > Certificates configuration as shown below:

...

Update the MQTT Engine > Servers > Settings configuration to use the certificates as shown below and setting the URL to be ssl://FQDN:8883 with the FQDN of the Chariot Server. Click the Save Changes button to save the configuration.

Anchor
MQTTTransmissionClientSide MQTTTransmissionClientSide

MQTT Transmission Client Side Configuration

Add certificates to the MQTT Transmission > Servers > Certificates configuration as shown below:

...

Update the MQTT Transmission > Servers > Settings configuration to use the certificates as shown below. Click the Save Changes button to save the configuration.

Anchor
VerifyConnectivity VerifyConnectivity

Verifying connectivity

Engine

From the left hand menu bar, navigate to Config > MQTT Engine > Servers and note the Status as Connected.

...