Contents
Cirrus Link Resources
Chariot MQTT Server v1 (previous version)
Cirrus Link Modules for Ignition
Contact Us (Sales/Support)
Forum
This document describes how to configure Server and Client authentication when setting secure (SSL) connections between Chariot, MQTT Engine and MQTT Transmission.
As a first step, we need to generate certificates for Chariot, MQTT Engine and MQTT Transmission. Let’s create the following directory tree to work with:
├── ca/
│ ├── engine
│ ├── server
│ └── transmission
└── certs/
├── engine
├── server
└── transmission
Here is a summary of what needs to be done here:
Generate Client (i.e. MQTT Engine) certificate signed with the Engine CA’s private key
The Root CA is the highest level of authority in the certificate hierarchy, and is responsible for issuing CA certificates to lower-level CAs, such as the Server CA and Client CAs. When the Root CA issues a CA certificate to a lower-level CA, it signs the certificate with its private key, which allows clients to verify the authenticity of the CA certificate using the Root CA's public key.
The Server CA and Client CA, in turn, use their own private keys to sign SSL certificates for servers and clients, respectively. These SSL certificates can then be verified by clients using the CA certificate issued by the Root CA.
So, in summary, the Root CA should sign the CA certificates for both the Server CA and Client CA, while the Server CA and Client CA themselves are responsible for signing SSL certificates for servers and clients, respectively.
Generate a private key file (ca.key) for the Root CA using the command below. You will be required to enter a pass phrase to be associated with the ca.key file
openssl genrsa -des3 -out ca/ca.key 2048
Generate a self-signed certificate (ca.crt) for the Root CA using the command below. This command generates a new self-signed X.509 certificate named "ca.crt" valid for 3650 days (10 years) using the RSA private key "ca.key" and you will be required to enter teh pass phrase created earlier.
openssl req -new -x509 -key ca/ca.key -days 3650 -out ca/ca.crt
There are a number of fields associated with the creation of the certificate. The required fields are:
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []: We set this to CA
Common Name (eg, fully qualified host name) [] We set this to the FQDN of the Chariot server
Email Address []: