top of page

Protect your communication (SSL / TLS)

v1.0

We received so many questions related to this topic that we have decided to give some high level explanations.

Not the very details, but just enough information to setup a working configuration.

 

We will do this via discussing some frequent used scenario's together with their issues and solutions.

We hope that the above diagram will help you.

Abbreviations:

CA, Certificate authority: is an entity (Company) that issues digital certificates. The CA act as a trusted third party both for the owner and the consumer of a digital certificate.

Domain, Domain name: is a label in the DNS that identifies a network domain: a distinct group of computers.

Certificate, Digital certificate: is an electronic document used to prove the ownership of a public key.

CSR, Certificate Signing Request: is a message sent from an applicant to a certificate authority CA in order to request certificate.

DNS, Domain Name System: is a hierarchical and decentralized naming system for computers, services or other resources connected to the internet or a private network.
It translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols.

SSL, Secured Socket Layer: is a cryptographic protocol designed to provide secured communication over computer networks. Newer version is TLS.

TLS, Transport Layer Security: the TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications. It's new version of SSL. You will see that many system still reference to SSL will using TLS.

WAN, Wide Area Network: mostly used to identify a connection to the internet.

LAN, Local Area Network: is a computer network that interconnects computers within a limited area such as an office building or a home.

NAT, Network Address Translation: is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.

Port forwarding: or port mapping is an application of network address translation (NAT) that redirects a communication request from one IP address and port number combination to another while the packets are in transit across a traffic routing device.

Hairpinning:  or NAT loopback, describes a communication between two hosts behind the same NAT device using their mapped endpoint. Is where a device on the LAN is able to access another device on the LAN via the external IP address (WAN) of the LAN/router.

Router: a networking device that forwards (NAT) data packets between computer networks.

SaaS, Software as a Service: is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted.

CLI, Command Line Interface: is a means of interacting with a computer program where the user (or client) issues commands to the program in the form of successive lines of text (command lines).

Scenarios:

MQTT Broker in the cloud (scenario 1)

Base:

MQTT Broker is hosted in the cloud, SaaS

The MQTT Broker has a certificate from a global known CA company.

CA root certificate is normally already available on the mobile device.

 

What you need to do:

On the IoT-OnOff app, configure the broker like specified by the MQTT provider.

 

Challenges:

No problems expected.

MQTT Broker in the datacenter, CA root from company x (scenario 2)

Base:

MQTT Broker is hosted in the datacenter of company x.

The MQTT Broker has a server certificate from the company x own CA.

 

What you need to do:

CA root certificate needs to be installed manually on the mobile devices.

On the IoT-OnOff app, configure the broker like specified by the company.

 

Challenges:

Manual installation and activation of CA root certificate on the mobile device.

MQTT Broker in house or in the office with trusted CA (scenario 3)

Base:

MQTT Broker is hosted in your office or at home.

The MQTT Broker has a server certificate from a global known CA company.

You would like to connect your mobile devices via LAN (WIFI) and or WAN (3G, 4G).

 

What you need to do:

You will need to configure port forwarding in your router.

Install \ configure the server certificate on MQTT Broker.

On the IoT-OnOff app do NOT use the Hostname or IP address of the computer where the MQTT broker is installed.

Use the Common Name (CN) from the server certificate!

On the IoT-OnOff app use the public port that is configured in the router. (port forwarding)

 

Challenges:

Your internet provider works with dynamic IP addresses, you need to configure a DDNS.

Be sure that you request a certificate with a Common Name (CN) that is equal to the DNS or DDNS name.

Some routers / firewalls could have an issue with Hairpinning / NAT loopback. (If so check the different solutions)

You need to know how to configure port forwarding in your router.

MQTT Broker in house or in the office with your own CA (scenario 4)

Base:

Same as scenario 3.

You have created your own CA root certificate. (link)

 

What you need to do:

Same as scenario 3.

CA root certificate needs to be installed manually on the mobile devices.

 

Challenges:

Same as scenario 3.

Manual installation and activation of CA root certificate on the mobile device.

Solutions for common issues:

Hairpinning / NAT Loopback:

Some firewalls routers have native support for this via the user interface or via CLI.

Alternatively you can use a DNS server on your LAN to link the Common Name (CN) of the certificate to the local IP of the MQTT Broker.

Some firewalls / routers have an in build DNS server where you can configure local DNS settings via the user interface or via CLI.

If you firewall / router does not support your own DNS configuration, you can run your own DNS server on the LAN.

  • If you have a NAS like QNAP or Synology, you can run a Docker container for this.

  • If you use your own DNS, configure the IP-addresses in the configuration of your DHCP server.

Install CA root certificate on iPhone:

From IOS 13, there are new special requirements for trusted certificates! (Link)

  • RSA key should be greater or equal as 2048 bits.

  • Hash algorithm from SHA-2 family. (SHA-1 no longer trusted)

  • Server certificate, DNS names should be listed in Subject Alternative Name. (CommonName no longer trusted)

  • New certificates (after July 2019)

    • ExtendedKeyUsage (EKU) extension containing the id-kp-serverAuth OID.​

    • Validity period of max 825 days.

Steps to follow:

  1. Install CA root certificate

  • Copy the CA root certificate to iPhone via iCloud storage or another storage service. (Or just send a mail)

  • Double touch the certificate and follow the instruction.

  • Go to settings > General > Profile > list of certificates.

    • Install pending certificate.​

  1. Trust the CA root certificate​

  • After installing the CA root certificate, the certificate needs to be activated.

  • Go to Settings > General > About > Certificate Trust Settings > Find your CA root certificate and activate it.

Remark:

There could be different install behavior depending the version of IOS.

 

Install CA root certificate on Android:

Make the CA root certificate available for the mobile device via a storage service or an SD-card.

Double touch the certificate and follow the instruction.

The certificate itself can be found at:

Go to settings > Personal: Security & Lock screen > Advanced: Credential storage > Trusted credentials > Users

Configure DDNS:

When you have a variable WAN IP address, you can activate one of the available DDNS services.

Check your router / firewall first. Most of them have build-in support for one ore more of the available DDNS providers.

If your router / firewall does not support DDNS, you need to install an DDNS agent of the provider.

This agent will notify the provider when the WAN IP address is changed.

When you request or create the server certificate, the Common Name needs to be equal to the new created Domain name of your DDNS provider.

 

Configure Port Forwarding:

When your Broker is installed at your home or office and you would like to allow remote connections, you will need to configure port forwarding in your router / firewall. Most routers can be configured with a build-in management web site.

Interesting links:

bottom of page