| Note |
|---|
AUTOSOL does not provide this information for use as a source of security advice or best practices. The use of these examples is done at your own discretion and risk and with agreement that you will be solely responsible for any damage to your computer system or loss of data that results from such activities. |
Instructions for creating key pairs and certificates for use with AUTOSOL Edge products. Prerequisite:
OpenSSL is installed and in your system PATH.
For Debian Linux, you may check to see if openssl is installed and on your PATH using the which command:
$ openssl which
Where the expected output is the file path where openssl is installed. Example:
$ which openssl/usr/bin/openssl
If openssl is not installed, you will see nothing. The most straightforward way to install openssl in Debian is by using the package manager:
sudo apt-get update && sudo apt-get install openssl
Once openssl is installed you can create your certificate chain.
How you create your certificate chain depends on your desired security posture. There are two options:
TLS with Server Certificate Authentication
TLS with Server and Client Certificate Authentication
Steps for Creating Certificates for Server Authentication
For this step, the server (the broker) authenticates to the client with a certificate before the TLS connection is established. The client does not authenticate to the broker with a certificate, but may do so through other means (password, etc.).
...
| Code Block |
|---|
openssl req -new -x509 -days 3650 -extensions v3_ca -key ca.key -out ca.pem -subj "/C=US/ST=Texas/O=THIS_COMPANY INC/CN=John Smith/emailAddress=johnsmith@gmailname@company.com" --outform PEM |
Create the key pair (server.key) used by your broker.
...
In this example, you will need to substitute 10255.3255.0255.11 255 with the IP or hostname of your broker’s server for TLS verification to work correctly.
| Code Block |
|---|
openssl req -out server.csr -key server.key -new -subj "/C=US/ST=Texas/O=THIS_COMPANY INC/CN=10255.3255.0255.11255/emailAddress=johnsmith@gmailname@company.com" --outform PEM |
| Info |
|---|
The server certificate’s CN field should match the hostname or IP of the MQTT broker. |
...
| Code Block |
|---|
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 3650 --outform PEM |
Configuration
You now have all the files required to configure your client and server (broker) for TLS authentication.
You will need to provide ca.pem to both your client and server.
You will need to provide server.key and server.pem to your server.
Client
In older versions of eACM, you must copy (scp) your ca.pem to the host where eACM is installed and reference the path to it in your TLS Settings object (MQTT app) or the Broker 1/2 tab of your Node object (Edge Manager). Assign ca.pem to the CA File property of the object.
In newer versions of eACM, you can upload your ca.pem using the TLS Settings object form or Node object form. Assign ca.pem to the CA File property of the object.
Server (Broker)
The broker configuration will be different for each broker. Example for mosquitto:
| Code Block |
|---|
per_listener_settings true
listener 8883
allow_anonymous false
require_certificate false
certfile C:\Users\myuser\Documents\certs\server.pem
keyfile C:\Users\myuser\Documents\certs\server.key
cafile C:\Users\myuser\Documents\certs\ca.pem
password_file C:\Users\myuser\Documents\mosquitto\user-passwd.txt |