The Chariot® MQTT Server can be enabled to use SSL/TLS to allow secure communication with the Chariot Web UI (HTTPS) as well as secure communication between MQTT clients (MQTTS).
| Self-signed certificates should not be used in a production environment on a public network. |
The first step in setting up SSL/TLS is obtaining the necessary files to provide to the Chariot MQTT Server. There are three files that need to be uploaded to the Chariot MQTT Server in order to setup SSL/TLS communication.
See here for more information on obtaining a signed Certificate.
Once these files are obtained, log into the Chariot MQTT Server Web UI and navigate to the Configuration → System page as shown below:
An "SSL Not Setup" indicator at the top should show that SSL/TLS has not yet been set up. If this indicator says "SSL Setup", you may need to first delete any existing Certificates before setting up a new one, see here for instructions. Click on either the indicator or the Certificates tab to navigate to the following page:
Use the right side links to upload the three required files.
Once the three files have been successfully uploaded, click the "Setup SSL" button on the bottom right.
You should now see the SSL Certificate details along with the name of the files that were uploaded. SSL has now been setup.
MQTT Chariot will always attempt to authenticate incoming client connections, even when using certificate based authentication, and must be configured to allow anonymous connections.
To enable anonymous connections, navigate to the Configuration → MQTT Server → Configuration tab and set Allow Anonymous
By default, an anonymous client connection will be allowed to publish and subscribe on # unless the Anonymous MQTT Credentials has been selected.
This will allow you to select any of the configured MQTT Credentials, configured under Configuration → MQTT Credentials, and MQTT Chariot will use the Publish and Subscribe ACLs for that MQTT Credential for all anonymous connections.
| A Password will need to be configured for this MQTT Credential but will not be used by MQTT Chariot |
In order to remove an SSL Certificate, navigate to the Configuration → System → Certificates tab where the SSL Certificate details are displayed. The "Delete SSL" button on the bottom right can be clicked to completely remove the SSL Certificates and keys that were previously uploaded to setup SSL. This will revert the Chariot MQTT Server to a pre-setup state as shown below:
The first step to securing MQTT communication is to get a certificate from a CA. There are many available such as Verisign, Thawte and RapidSSL. There are also a number of other certificate authorities available. The general process is as follows:
Creating your own CA, intermediate CA, and generating your own signed certificates can be done following the three steps below using some open source tooling. Note creating an Intermediate CA is not explicitly required, but is recommended if you will be using self-signed certs in a private network in production. If this is simply for development that step can be skipped and the root CA can be used to sign server certificates. Again, using self-signed certs in production over the Internet is not recommended.