Versions Compared

Old Version 7

changes.mady.by.user Nathan Davenport

Saved on

compared with

New Version 8

changes.mady.by.user Nathan Davenport

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are many ways to create a Java KeyStore.  In this example, we'll show how it can be done using KeyStore Explorer.  It can run on Windows, OSX, or any other OS that can run Java.  It provides an easy to use graphical interface for creating and manipulating Java KeyStores.   After Keystore explorer can create a keystore from existing keypair (i.e., certificates) or can generate a private keypair if desired. After installing KeyStore Explorer, open it and you should see something similar to the following.  It may ask you to modify some of your Java Security settings before starting.  If so, follow the instructions it provides. 


Image Added


Using an Existing Keypair

Select 'Create a new KeyStore'

Image Removed

. Select a 'JKS' as the type as shown below.

...

Finally, give it a name and location on the filesystem and click Save:


Generate a Private Key Pair

...

If you prefer TLS connection over private networks you may instead generate your own Private Key Pair.  Launch KeyStore Explorer and select 'Create a new KeyStore' of the type 'JKS', then [ OK].  In the background of the Untitled-1 page right click and select 'Generate Key Pair' as below:

...

Use your browser and login to your Central Gateway (Distributor) and under Config → MQTT Distributor → Settings page under the General Tab load this cert.jks Tab upload the keystore file.  Uncheck the box to Enable the plain TCP connection and check the box under TLS Settings to Enable the TLS port(s).  Don't forget to enter the Password in the box just above the Java KeyStore File portion. (Leave the KeyStore Explorer application window up since you'll need to Export and generate a root.ca.pem file for Transmission and Engine.  See Generate rootca.pem file below.)

In the MQTT Distributor Settings, change the configuration for TLS communication from TCP to SSL.  Upload the cert.jks keystore file created above and enter the password.

Generate rootca.pem file

Return to your KeyStore Explorer application and generate the necessary root.ca.pem file.  Save this file in same location (by default) as your cert.jks file.  Use this template below to upload this root.ca.pem file to Transmission and Engine.  (Password not required on these pages.)


Save this rootca.pem key file.  This will be installed on both Engine and Transmission Modules to allow and connect securely via SSL protocol to your Distributor (Ignition Server).

At this point, all MQTT clients can now connect over TLS enabled connections.  Note the new port of 8883.  If using a certificate signed by a publicly trusted CA and the OS with the MQTT client supports that specific CA, the clients don't have to make any modifications to their list of trusted root certificates.  If using a self-signed certificate there are a couple options:

...