You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This document describes how to configure Server and Client authentication when setting secure (SSL) connections between Chariot, MQTT Engine and MQTT Transmission.

Generating Certificates and Keys

As a first step, we need to generate certificates for Chariot, MQTT Engine and MQTT Transmission. Let’s create the following directory tree to work with:

├── ca/
│  ├── engine
│   ├── server
│   └── transmission
└── certs/
    ├── engine
    ├── server
    └── transmission

Here is a summary of what needs to be done here:

  • Generate CA certificate chain
    • Generate Root CA certificate signed with the Root CA
    • Generate Server (i.e. Chariot) CA certificate signed with the Root CA
    • Generate Client (i.e. MQTT Engine and Transmission) CA certificate signed with the Root CA
  • Generate Server (i.e. Chariot) certificate signed with Server CA private key
  • Generate Client (i.e. MQTT Engine) certificate signed with the Engine CA’s private key
  • Generate Client (i.e. MQTT Transmission) certificate signed with Transmission CA’s private key

Generating CA Certificates

The Root CA is the highest level of authority in the certificate hierarchy, and is responsible for issuing CA certificates to lower-level CAs, such as the Server CA and Client CAs. When the Root CA issues a CA certificate to a lower-level CA, it signs the certificate with its private key, which allows clients to verify the authenticity of the CA certificate using the Root CA's public key.

The Server CA and Client CA, in turn, use their own private keys to sign SSL certificates for servers and clients, respectively. These SSL certificates can then be verified by clients using the CA certificate issued by the Root CA.

So, in summary, the Root CA should sign the CA certificates for both the Server CA and Client CA, while the Server CA and Client CA themselves are responsible for signing SSL certificates for servers and clients, respectively.

Generate Root CA

  1. Generate a private key file (ca.key) for the Root CA using the command below :
openssl genrsa -des3 -out ca/ca.key 2048


  • No labels

New to MQTT? Start Here!