Certificates updated on 19 December 2019

The most easy way of working with TLS is buying a server certificate from a know trusted  Certificate authority (CA).

But if you really want to work with self created certificates, this guide can help you.

Steps to follow:

  • Install tool to create Certificates.

    • OpenSSL is one of the most used tools for this.

    • During this guide we will use "certmgr" a tool on top of OpenSSL.

    • Install the tool from here: (link)​​

  • When you start "certmgr"

    • a command window will open ​...

    • a browser will open with management screens to create certificates.

  • Create Certificate Database

    • First thing you need to do is creating a new database for storing your certificates.​

    • It is not really a database, it is just a new directory structure.

    • On windows you can find the output under: C:\Users\xxx\.certmgr-db

    • for each new database, a sub directory will be created

    • Choose RSA Certificates!​

    • Name is not important.

    • When database is created, you need to create CA root certificate

  • CA root certificate

    • Key Size, minimum 2018 bits​

    • Signature sha256

    • Days, for IOS less than 825!

    • Other fields are not that important.

  • When CA root is created, you can create Server certificate.

    • Click on ​"Create Certificate"

  • ​Server certificate

    • Key Size, minimum 2018 bits​

    • Signature sha256

    • Days, for IOS less than 825!

    • Common Name needs to be your domain name!

    • It does not need to be the name of the host where the broker is running, but the name that you use to access the broker!​

    • The tool will copy that name also automatically to the Alternative Name, this is required for TLS.

  • ​Output should look like this

  • Following files are important:

    • ca.pem​ => CA root certificate

    • my.dns.com.pem => Server certificate

    • my.dns.com.key => Server private key

  • The name of the files will be different but that does not matter.

    • the MQTT broker needs all the three files!

    • the CA root certificate needs to be installed on your devices!​

      Install CA root certificate on iPhone:

Steps to follow:

Install CA root certificate

Copy the CA root certificate to iPhone via iCloud storage or another storage service. (Or just send a mail)

Double touch the certificate and follow the instruction.

Go to settings > General > Profile > list of certificates.

Install pending certificate.​

Trust the CA root certificate​

After installing the CA root certificate, the certificate needs to be activated.

Go to Settings > General > About > Certificate Trust Settings > Find your CA root certificate and activate it.

Remark:

There could be different install behavior depending the version of IOS.

 

Install CA root certificate on Android:

Make the CA root certificate available for the mobile device via a storage service or an SD-card.

Double touch the certificate and follow the instruction.

The certificate itself can be found at:

Go to settings > Personal: Security & Lock screen > Advanced: Credential storage > Trusted credentials > Users

  • If you use Mosquitto broker:

    • Copy the three files to the configuration directory.​

    • Change the configuration file like this:

  • This is just an example configuration file for mosquitto broker.

    • Remove listeners 1883 and 80 if you would like to support TLS only.​

Convert certificates:
By default, the tool is generating *.pem files.
You can use OpenSSL to convert these *. pem files to other formats.

Exampleopenssl x509 -outform der -in ca.pem -out ca.cer

Together with the installation of the tool you will have now OpenSSL as well.
On a windows environment, the tool was installed at: C:\Windows\SysWOW64\certmgr
At that location you will find a sub directory for OpenSSL.

At the full path to your environment variables and you can access OpenSSL from any location.

Copyright © 2017, IoT OnOff