Whether you are using a certificate issued by a trusted CA or a self-signed certificate, internally MQTT Distributor accesses these certificate(s) via the Java KeyStore file that it is configured to use. This KeyStore must contain the public certificate, the private key, and possibly an intermediate certificate if applicable. 

Creating the Keystore using Keystore Explorer

There are many ways to create a Java KeyStore.  In this example, we'll show how it can be done using KeyStore Explorer.  It can run on Windows, OSX, or any other OS that can run Java.  It provides an easy to use graphical interface for creating and manipulating Java KeyStores.  After installing KeyStore Explorer, open it and you should see something similar to the following.  It may ask you to modify some of your Java Security settings before starting.  If so, follow the instructions it provides.  Select 'Create a new KeyStore'

Select a 'JKS' as the type as shown below.

Pull the required components into the KeyStore starting with the public/private KeyPair.  This is the public certificate and the private key that we originally generated.  Click the 'Import Key Pair' icon from the KeyStore Explorer menu (the icon with two keys and a blue downward arrow).

Select OpenSSL as the type and click OK:

Browse to the key and certificate files as shown below and click import:

Now you will be asked to specify the alias.  You can leave this as the default.  It will reflect the Common Name that was specified during the CSR generation and the CA:

You will now be asked to specify a password for the KeyPair.  At this point MQTT Distributor requires that the Key Pair passwords match the overall KeyStore password.  So, make sure you note this password because we'll need to use it as the overall KeyStore password as well.  Note: Use of a Key Pair password is a constraint of the JKS file and therefore a requirement in the configuration of TLS.

At this point, you can save your KeyStore and specify a KeyStore password.  Do so by clicking the save icon in the upper left menu:

You will now be prompted for a password.  Provide the same secure password you used for the public/private KeyPair earlier.  Note: Use of a Key Pair/KeyStore password is a constraint of the JKS file and therefore a requirement in the configuration of TLS.

Finally, give it a name and location on the filesystem and click Save:

Private Key Pair Generation

If you prefer TLS connection over private networks you may instead generate your own Private Key Pair.  Launch KeyStore Explorer and select 'Create a new KeyStore' of the type 'JKS', then [ OK].  In the background of the Untitled-1 page right click and select 'Generate Key Pair' as below:

Configuring MQTT Distributor to use a Keystore

Use your browser and login to your Central Gateway (Distributor) and under Config → MQTT Distributor → Settings page under the General Tab load this cert.jks file.  Uncheck the box to Enable the plain TCP connection and check the box under TLS Settings to Enable the TLS port(s).  Don't forget to enter the Password in the box just above the Java KeyStore File portion. (Leave the KeyStore Explorer application window up since you'll need to Export and generate a root.ca.pem file for Transmission and Engine.  See Generate rootca.pem file below.)

In the MQTT Distributor Settings change the configuration for TLS communication from TCP to SSL.  Upload the cert.jks file created above and enter the password.