...
| Code Block |
|---|
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 3650 --outform PEM |
Configuration
You now have all the files required to configure your client and server (broker) for TLS authentication.
You will need to provide ca.pem to both your client and server.
You will need to provide server.key and server.pem to your server.
Client
In older versions of eACM, you must copy (scp) your ca.pem to the host where eACM is installed and reference the path to it in your TLS Settings object (MQTT app) or the Broker 1/2 tab of your Node object (Edge Manager). Assign ca.pem to the CA File property of the object.
In newer versions of eACM, you can upload your ca.pem using the TLS Settings object form or Node object form. Assign ca.pem to the CA File property of the object.
Server (Broker)
The broker configuration will be different for each broker. Example for mosquitto:
| Code Block |
|---|
per_listener_settings true log_dest file C:\Users\myuser\Documents\mosquitto\mosquitto.log log_type error log_type warning log_type notice log_type information log_timestamp true log_timestamp_format %Y-%m-%dT%H:%M:%S listener 8883 allow_anonymous false require_certificate false certfile C:\Users\myuser\Documents\certs\server.pem keyfile C:\Users\myuser\Documents\certs\server.key cafile C:\Users\myuser\Documents\certs\ca.pem password_file C:\Users\myuser\Documents\mosquitto\user-passwd.txt |
Steps for Creating Certificates for Client Authentication
...
If your broker is configured to authenticate based on the CN section of the Subject field, substitute MyMqttWidget MyEACM for something else that meaningfully identifies that particular MQTT client or its permissions role on the broker.
| Code Block |
|---|
openssl req -out client.csr -key client.key -new -subj "/C=US/ST=Texas/O=THIS_COMPANY INC/CN=MyMqttWidgetMyEACM/emailAddress=johnsmith@gmail.com" --outform PEM |
...
| Code Block |
|---|
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem -days 3650 --outform PEM |
Configuration
You now have all the files required to configure your client and server (broker) for TLS authentication with both server authentication and client authentication.
You will need to provide ca.pem to both your client and server.
You will need to provide server.key and server.pem to your server.
You will need to provide client.key and client.pem to each client. The client will also need to be provided with the password used to encrypt its client.key.
Client
In older versions of eACM, you must copy (scp) your ca.pem, client.key and client.pem to the host where eACM is installed and reference the path to it in your TLS Settings object (MQTT app) or the Broker 1/2 tab of your Node object (Edge Manager).
In newer versions of eACM, you can upload your ca.pem, client.key and client.pem using the TLS Settings object form or Node object form.
Assign ca.pem to the CA File property of the object.
Assign client.key to the Client Private Key property of the object.
Assign client.pem to the Client Certificate property of the object.
Assign the password used to encrypt client.key to Private Key Password.
Server (Broker)
The broker configuration will be different for each broker. Example for mosquitto:
| Code Block |
|---|
per_listener_settings true log_dest file C:\Users\myuser\Documents\mosquitto\mosquitto.log log_type error log_type warning log_type notice log_type information log_timestamp true log_timestamp_format %Y-%m-%dT%H:%M:%S listener 8883 allow_anonymous false require_certificate true certfile C:\Users\myuser\Documents\certs\server.pem keyfile C:\Users\myuser\Documents\certs\server.key cafile C:\Users\myuser\Documents\certs\ca.pem use_identity_as_username true acl_file C:\Users\myuser\Documents\mosquitto\acl_8883.txt |
Where acl_8883.txt may contain by example:
| Code Block |
|---|
user MyEACM topic read STATE/+ topic readwrite spBv1.0/# user SparkplugViewer topic read STATE/+ topic read spBv1.0/# user HMI topic readwrite STATE/+ topic readwrite spBv1.0/# |