IoT OnOff®
Internet Of Things
Certificates updated on 19 December 2019
The most easy way of working with TLS is buying a server certificate from a know trusted Certificate authority (CA).
But if you really want to work with self created certificates, this guide can help you.
Steps to follow:
-
Install tool to create Certificates.
-
OpenSSL is one of the most used tools for this.
-
During this guide we will use "certmgr" a tool on top of OpenSSL.
-
Install the tool from here: (link)
-
-
When you start "certmgr"
-
a command window will open ...
-
a browser will open with management screens to create certificates.
-
-
Create Certificate Database
-
First thing you need to do is creating a new database for storing your certificates.
-
It is not really a database, it is just a new directory structure.
-
On windows you can find the output under: C:\Users\xxx\.certmgr-db
-
for each new database, a sub directory will be created
-
Choose RSA Certificates!
-
Name is not important.
-
When database is created, you need to create CA root certificate
-
-
CA root certificate
-
Key Size, minimum 2018 bits
-
Signature sha256
-
Days, for IOS less than 825!
-
Other fields are not that important.
-
-
When CA root is created, you can create Server certificate.
-
Click on "Create Certificate"
-
-
Server certificate
-
Key Size, minimum 2018 bits
-
Signature sha256
-
Days, for IOS less than 825!
-
Common Name needs to be your domain name!
-
It does not need to be the name of the host where the broker is running, but the name that you use to access the broker!
-
The tool will copy that name also automatically to the Alternative Name, this is required for TLS.
-
-
Output should look like this
-
Following files are important:
-
ca.pem => CA root certificate
-
my.dns.com.pem => Server certificate
-
my.dns.com.key => Server private key
-
-
The name of the files will be different but that does not matter.
-
the MQTT broker needs all the three files!
-
the CA root certificate needs to be installed on your devices!
Install CA root certificate on iPhone:
-
Steps to follow:
Install CA root certificate
Copy the CA root certificate to iPhone via iCloud storage or another storage service. (Or just send a mail)
Double touch the certificate and follow the instruction.
Go to settings > General > Profile > list of certificates.
Install pending certificate.
Trust the CA root certificate
After installing the CA root certificate, the certificate needs to be activated.
Go to Settings > General > About > Certificate Trust Settings > Find your CA root certificate and activate it.
Remark:
There could be different install behavior depending the version of IOS.
Install CA root certificate on Android:
Make the CA root certificate available for the mobile device via a storage service or an SD-card.
Double touch the certificate and follow the instruction.
The certificate itself can be found at:
Go to settings > Personal: Security & Lock screen > Advanced: Credential storage > Trusted credentials > Users
-
If you use Mosquitto broker:
-
Copy the three files to the configuration directory.
-
Change the configuration file like this:
-
-
This is just an example configuration file for mosquitto broker.
-
Remove listeners 1883 and 80 if you would like to support TLS only.
-
Convert certificates:
By default, the tool is generating *.pem files.
You can use OpenSSL to convert these *. pem files to other formats.
Example: openssl x509 -outform der -in ca.pem -out ca.cer
Together with the installation of the tool you will have now OpenSSL as well.
On a windows environment, the tool was installed at: C:\Windows\SysWOW64\certmgr
At that location you will find a sub directory for OpenSSL.
At the full path to your environment variables and you can access OpenSSL from any location.