IoT OnOff®
Internet Of Things
Certificates updated on 19 December 2019
The most easy way of working with TLS is buying a server certificate from a know trusted Certificate authority (CA).
But if you really want to work with self created certificates, this guide can help you.
​
Steps to follow:
-
Install tool to create Certificates.
-
OpenSSL is one of the most used tools for this.
-
During this guide we will use "certmgr" a tool on top of OpenSSL.
-
Install the tool from here: (link)​​
-
-
When you start "certmgr"
-
​a command window will open ​...
-
a browser will open with management screens to create certificates.
-
-
Create Certificate Database
-
First thing you need to do is creating a new database for storing your certificates.​
-
It is not really a database, it is just a new directory structure.
-
On windows you can find the output under: C:\Users\xxx\.certmgr-db
-
for each new database, a sub directory will be created
-
Choose RSA Certificates!​
-
Name is not important.
-
When database is created, you need to create CA root certificate
-
-
CA root certificate
-
Key Size, minimum 2018 bits​
-
Signature sha256
-
Days, for IOS less than 825!
-
Other fields are not that important.
-
-
When CA root is created, you can create Server certificate.
-
Click on ​"Create Certificate"
-
-
​Server certificate
-
Key Size, minimum 2018 bits​
-
Signature sha256
-
Days, for IOS less than 825!
-
Common Name needs to be your domain name!
-
It does not need to be the name of the host where the broker is running, but the name that you use to access the broker!​
-
The tool will copy that name also automatically to the Alternative Name, this is required for TLS.
-
-
​Output should look like this
-
Following files are important:
-
ca.pem​ => CA root certificate
-
my.dns.com.pem => Server certificate
-
my.dns.com.key => Server private key
​
-
-
The name of the files will be different but that does not matter.
-
the MQTT broker needs all the three files!
-
the CA root certificate needs to be installed on your devices!​
​
Install CA root certificate on iPhone:
-
Steps to follow:
Install CA root certificate
Copy the CA root certificate to iPhone via iCloud storage or another storage service. (Or just send a mail)
Double touch the certificate and follow the instruction.
Go to settings > General > Profile > list of certificates.
Install pending certificate.​
Trust the CA root certificate​
After installing the CA root certificate, the certificate needs to be activated.
Go to Settings > General > About > Certificate Trust Settings > Find your CA root certificate and activate it.
​
Remark:
There could be different install behavior depending the version of IOS.
​
Install CA root certificate on Android:
Make the CA root certificate available for the mobile device via a storage service or an SD-card.
Double touch the certificate and follow the instruction.
​
The certificate itself can be found at:
Go to settings > Personal: Security & Lock screen > Advanced: Credential storage > Trusted credentials > Users
​
-
If you use Mosquitto broker:
-
Copy the three files to the configuration directory.​
-
Change the configuration file like this:
-
-
This is just an example configuration file for mosquitto broker.
-
Remove listeners 1883 and 80 if you would like to support TLS only.​
-
​
​
​
​Convert certificates:
By default, the tool is generating *.pem files.
You can use OpenSSL to convert these *. pem files to other formats.
​
Example: openssl x509 -outform der -in ca.pem -out ca.cer
​
Together with the installation of the tool you will have now OpenSSL as well.
On a windows environment, the tool was installed at: C:\Windows\SysWOW64\certmgr
At that location you will find a sub directory for OpenSSL.
​
At the full path to your environment variables and you can access OpenSSL from any location.
​
​
​
​
​