Part I – Securing connection from remote device to Thingworx platform
The goal of this first part is to setup a certificate authority (CA) and sign the certificates to authenticate MQTT clients. At the end of this first part the MQTT broker will only accept clients with a valid certificate.
A note on terminology: TLS (Transport Layer Security) is the new name for SSL (Secure Sockets Layer).
The certificates will be generated with openssl (check if already installed by your distribution).
Demonstrations will be done with the open source MQTT broker, mosquitto. To install, use the apt-get command:
$ sudo apt-get install mosquitto
$ sudo apt-get install mosquitto-clients
NOTE: This procedure assumes all the steps will be performed on the same system.
1. Setup a protected workspace
Warning: the keys for the certificates are not protected with a password. Create and use a directory that does not grant access to other users.
$ mkdir myCA $ chmod 700 myCA $ cd myCA
2. Setup a CA and generate the server certificates
Download and run the generate-CA.sh script to create the certificate authority (CA) files, generate server certificates and use the CA to sign the certificates.
NOTE: Open the script to customize it at your convenience.
To be able to obtain the corresponding certificates and key for my server (named ubuntu), use the following syntax:
And run the following command:
This first part permit to establish a secure connection from a remote thing to the MQTT broker. In the next part we will restrict this connection to TLS 1.2 clients only and allow the websocket connection.