Versions Compared

Old Version 7

changes.mady.by.user Gill Houghton

Saved on

compared with

New Version Current

changes.mady.by.user Gill Houghton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Self-signed certificates can be used with Ignition and the Cirrus Link modules and they are useful for testing environments and non-public networks.  

Warning
Self-signed certificates should not be used in a production environment on a public network.

Ignition has made it simple to create a self-signed certificate through the Setup SSL / TLS wizard but there are additional steps needed to be able to use that certificate with the MQTT modules. 

Anchor
Ignition
Ignition
Ignition

Navigate to Config > NETWORKING > Web Server from the Ignition left hand menu bar and select Setup SSL / TLS

Select the option "I don't have all the items above" Complete the required fields highlighted in red.

Note
Set the Common Name to the 'mydomain' used in the URL for your MQTT Server connection which is in the format ssl://mydomain.com:8883. The MQTT modules use the certificate Common Name to validate the chain of trust for the certificate. For example if you are connecting to ssl://localhost:8883, the Common Name should be set to 'localhost'.

Select the Show advanced properties checkbox and then the Install Self-Signed Certificate button

You will be warned of a Potential Security Risk and will need to Accept the Risk and Continue 

Ignition will now show that you have successfully transitioned to self-signed certificate and that SSL /TLS is enabled.

Anchor
Certificate
Certificate
Extract CA Certificate from ssl.pfx file

To allow the MQTT modules to validate the chain of trust for the self-signed certificate, you will need to upload the CA Certificate to each module.

First you will need to extract the CA Certificate chain from ssl.pfx file created in the webserver directory of your installed Ignition system

Run the following command from the webserver directory to generate a .pem file. Note : this command will create a file named "cert.pem"

Code Block
openssl pkcs12 -in ssl.pfx -nokeys -clcerts -nodes -passin pass:ignition | openssl x509 -out cert.pem



Anchor
MQTTModules
MQTTModules
MQTT Modules

Anchor
uploadcerts
uploadcerts
Upload Certificate

Now you will need to upload this .pem certificate for each of the MQTT Engine and MQTT Transmission modules. Navigate to the Servers > Certificates section for each module and select Create New Certificate.

Browse to your cert.pem file to upload, configure a friendly name and Save Changes.

Anchor
ConfigureDistributor
ConfigureDistributor
Configure MQTT Distributor to use SSL/TLS

Enable SSL/TLS for MQTT Distributor by selecting the "Enable TLS" configuration setting under TLS Setting section for MQTT Distributor.

Click Save to confirm the configuration update.

Anchor
ConfigEngineandTransmission
ConfigEngineandTransmission
Configure MQTT Engine and MQTT Transmission to use SSL/TLS

For MQTT Engine and MQTT Transmission to connect to Distributor over SSL/TLS you will need to update each Server configuration.

For each module, navigate to the Servers Settings Main section and update the URL for your environment.

Note
The mydomain for the URL should match the Common Name for your self-signed certificate

Navigate to the TLS section and select your certificate file as the CA Certificate File. Click Save to confirm the configuration update.

MQTT Engine and Transmission should now show connected to Distributor over SSL/TLS.