Contents
Cirrus Link Resources
Cirrus Link Website
Contact Us (Sales/Support)
Inductive Resources
Ignition User Manual
Knowledge Base Articles
Inductive University
Forum
...
Overview:
MQTT Distributor can be enabled to use TLS for encryption of the communication between MQTT clients. This is useful if MQTT Distributor is used on a public network. Since MQTT communications are not encrypted by default, enabling TLS is highly recommended on a public network. There are two ways this can be done. First is to certificate signed by a publicly trusted certificate authority (CA). While there are nominal costs associated with this, it is the proper and recommended way to go if communicating over the Internet. Alternatively, it is possible to create and use a self-signed certificate. This is useful for debugging and development. However, it is not recommended in production scenarios over the Internet. It is, however, a viable option if utilizing a private network in which encryption is a requirement.
...
...
Creating a Self-Signed Certificate:Coming Soon...
Creating your own CA, intermediate CA, and generating your own signed certificates can be done following the following three steps using some open source tooling. Note creating an Intermediate CA is not explicitly required but is recommended if you will be using self-signed certs in a private network in production. If this is simply for development that step can be skipped and the root CA can be used to sign server certificates. Again, using self-signed certs in production over the Internet is not recommended.
Using the Certificate to Secure Communication with MQTT Distributor:
...
You will now be asked to specify a password for the keypair. At this point MQTT Distributor does not support passwords on individual keypairs. It does support passwords on the overall keystore. We'll add this in later. So, for now, leave the two password fields blank and click OK.
If your CA also requires an intermediate certificate you must also import that as a trusted certificate. That is done by clicking the red certificate icon shown below. If you are using a self-signed certificate, you also need to complete this step using your own CA's public certificate:
Select your trusted certificate as shown below and click ok:
You will be asked to verify the public certificate's details. They will look similar to the following depending on the CA. Double check the information and select OK:
You should now see something similar to the following:
requires that the Key Pair passwords match the overall Keystore password. So, make sure you note this password because we'll need to use it as the overall keystore password as well.
At this point, you can save your keystore and specify a keystore password. Do so by clicking the save icon in the upper left menu:
You will now be prompted for a password. Provide the same secure password you used for the public/private keypair earlier.
Finally, give it a name and location on the filesystem and click Save:
At this point, the Java keystore simply needs to be set in MQTT Distributor's configuration. Do so by browsing the the Ignition Gateway Web UI and select the Configure tab. Then select MQTT Distributor settings on the left side menu as shown below.
Find the 'TLS Setting' section of the General Settings tab as shown below.
Make sure the 'Enable TLS' is checked. Select the 'Java Keystore File' 'Browse' button and then browse to the Java Keystore file you created above. Enter the Keystore password and then click Save Changes.
At this point, all MQTT clients can now connect over TLS enabled connections. Note the new port of 8883. If using a certificate signed by a publicly trusted CA and the OS with the MQTT client supports that specific CA, the clients don't have to make any modifications to their list of trusted root certificates. If using a self-signed certificate there are a couple options:
Note if your certificate also requires an intermediate certificate, this must also be added to the MQTT client so the full chain of trust can be established.
Using the Certificate to Secure Communication with MQTT Engine or MQTT Transmission:
In MQTT Engine or Transmission, there may be a need to specify the TLS components for the client configuration. In the case of using certificates signed by a trusted CA that do not require an internediate cert don't need any special configuration other changing the form of the URL. The form should be as follows:
An example is here:
If the trusted CA you purchased your certificate from requires an intermediate certificate or if you created a self signed certificate, you will need to specify the CA certificate chain in the configuration. If you received your certificate from a trusted CA and they require an intermediate certificate, it will be provided by the CA. If you followed the tutorial above for a self-signed certificate and also created an intermediate CA, it will be the file called 'ca-chain.cert.pem'. If you simply created a CA without an intermediate cert, it will be the public CA certificate. Once you've identified the CA certificate chain based on these descriptions, copy it to a file called 'root.ca.pem' on your development system. Note this filename change is important and required. Upload the file via the configuration as shown here by clicking Save Changes:
Once the settings are saved, the MQTT client associated with MQTT Engine or MQTT Transmission will connect using TLS.
At this point, you can save your keystore and specify a keystore poassword.