Setup PKI for the MQTT Broker
3 minute read
If you want to use MQTT over TLS (MQTTS) or Secure Web Socket (WSS) you need to setup a Public Key Infrastructure (PKI).
Read the blog article about secure communication in IoT to learn more about encryption and certificates.
Structure overview
The Public Key Infrastructure for HiveMQ consists of two Java Key Stores (JKS):
- Keystore: The Keystore contains the HiveMQ certificate and private keys. This store must be confidential, since anyone with access to it could generate valid client certificates and read or send messages in your MQTT infrastructure.
- Truststore: The Truststore contains all the clients public certificates. HiveMQ uses it to verify the authenticity of the connections.
Before you begin
You need to have the following tools installed:
- OpenSSL. If you are using Windows, you can install it with Chocolatey.
- Java
Create a Keystore
Open a terminal and run the following command:
keytool -genkey -keyalg RSA -alias hivemq -keystore hivemq.jks -storepass <password> -validity <days> -keysize 4096 -dname "CN=united-manufacturing-hub-mqtt" -ext "SAN=IP:127.0.0.1"
Replace the following placeholders:
<password>: The password for the keystore. You can use any password you want.<days>: The number of days the certificate should be valid.
The command runs for a few minutes and generates a file named hivemq.jks in
the current directory, which contains the HiveMQ certificate and private key.
If you want to explore the contents of the keystore, you can use Keystore Explorer.
Generate client certificates
Open a terminal and create a directory for the client certificates:
mkdir pki
Follow these steps for each client you want to generate a certificate for.
Create a new key pair:
openssl req -new -x509 -newkey rsa:4096 -keyout "pki/<servicename>-key.pem" -out "pki/<servicename>-cert.pem" -nodes -days <days> -subj "/CN=<servicename>"Convert the certificate to the correct format:
openssl x509 -outform der -in "pki/<servicename>-cert.pem" -out "pki/<servicename>.crt"Import the certificate into the Truststore:
keytool -import -file "pki/<servicename>.crt" -alias "<servicename>" -keystore hivemq-trust-store.jks -storepass <password>
Replace the following placeholders:
<servicename>with the name of the client. Use the service name from the Network > Services tab in UMHLens / OpenLens.<days>with the number of days the certificate should be valid.<password>with the password for the Truststore. You can use any password you want.
Import the PKI into the United Manufacturing Hub
First you need to encode in base64 the Keystore, the Truststore and all the PEM files. Use the following script to encode everything automatically:
Get-ChildItem .\ -Recurse -Include *.jks,*.pem | ForEach-Object {
$FileContent = Get-Content $_ -Raw
$fileContentInBytes = [System.Text.Encoding]::UTF8.GetBytes($FileContent)
$fileContentEncoded = [System.Convert]::ToBase64String($fileContentInBytes)
$fileContentEncoded > $_".b64"
Write-Host $_".b64 File Encoded Successfully!"
}
find ./ -regex '.*\.jks\|.*\.pem' -exec openssl base64 -A -in {} -out {}.b64 \;
You could also do it manually with the following command:
openssl base64 -A -in <filename> -out <filename>.b64
Now you can import the PKI into the United Manufacturing Hub. To do so, create
a file named pki.yaml with the following content:
_000_commonConfig:
infrastructure:
mqtt:
tls:
keystoreBase64: <content of hivemq.jks.b64>
keystorePassword: <password>
truststoreBase64: <content of hivemq-trust-store.jks.b64>
truststorePassword: <password>
<servicename>.cert: <content of <servicename>-cert.pem.b64>
<servicename>.key: <content of <servicename>-key.pem.b64>
Now, send copy it to your instance with the following command:
scp pki.yaml <username>@<ip-address>:/tmp
After that, access the instance with SSH and run the following command:
sudo $(which helm) upgrade -f /tmp/pki.yaml united-manufacturing-hub united-manufacturing-hub/united-manufacturing-hub -n united-manufacturing-hub --reuse-values --version $(sudo $(which helm) get metadata united-manufacturing-hub -n united-manufacturing-hub --kubeconfig /etc/rancher/k3s/k3s.yaml -o json | jq '.version') --kubeconfig /etc/rancher/k3s/k3s.yaml
What’s next
- Learn more about HiveMQ’s TLS configuration in the HiveMQ documentation.